stealerium | 118929fa7bb48dd46b39a24144202096725293c56c310b56420ddf7976567710

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kirame.Host/Kirame.Host.exe
Size

1.6MB
MD5

c7085202e7a5620160f9d4fdf1219df2
SHA1

abe00b161c2f83ee83133b187262bf6289e88339
SHA256

00b2a7341252cef219c7070853a4e7cf4ce086a69de1c10ceee91fe8a6add013
SHA512

8f91ba27d9f83be857c12b2b9339ebd83f2f77c11f3d4610347de3f8a54321e25d1ff197596fc952da0920344990738a8de57921250e03c2c4bc340c4b4e7640
SSDEEP

24576:eQi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqn+/:evTq24GjdGSgw+W7SCRnVQTEQ/BA8+

Score

10^/10

stealerium discovery stealer

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1047654116228345967/dT7jUV207CYFaDTyw5AjhdZqXpjCIIxGZ_EDkNw3xvWyEvVdBpBpamsgIddePN8lC8mc

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Kirame.Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kirame.Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3536	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3104	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1924	Kirame.Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	Kirame.Host.exe
Token: SeDebugPrivilege	3104	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1572	1924	Kirame.Host.exe	92
PID 1924 wrote to memory of 1572	1924	Kirame.Host.exe	92
PID 1924 wrote to memory of 1572	1924	Kirame.Host.exe	92
PID 1572 wrote to memory of 4400	1572	cmd.exe	94
PID 1572 wrote to memory of 4400	1572	cmd.exe	94
PID 1572 wrote to memory of 4400	1572	cmd.exe	94
PID 1572 wrote to memory of 3104	1572	cmd.exe	95
PID 1572 wrote to memory of 3104	1572	cmd.exe	95
PID 1572 wrote to memory of 3104	1572	cmd.exe	95
PID 1572 wrote to memory of 3536	1572	cmd.exe	96
PID 1572 wrote to memory of 3536	1572	cmd.exe	96
PID 1572 wrote to memory of 3536	1572	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Kirame.Host\Kirame.Host.exe
"C:\Users\Admin\AppData\Local\Temp\Kirame.Host\Kirame.Host.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 1924
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8BC5.tmp.bat

Filesize
57B

MD5
18dc862433f90d9443a4d14a22d98807

SHA1
e581094a637b0717de0c47eb08878b82b18f9783

SHA256
76256d31007ad74070d60d907a81c30ea2ae6859c76f2cc3a9732bf891014071

SHA512
d1cc166bd1bd8b0620aa0b4fb08b9b9143761aed2e69d289a6fd3ca76ba703e8d203e9a3ed882d9ecb3ef1f1ddc5e056b5f90201b8240e50b0f65bd64ad7cd4d

Download Submit
memory/1924-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000000350000-0x00000000004E8000-memory.dmp

Filesize
1.6MB

Download
memory/1924-2-0x0000000004F20000-0x0000000004F86000-memory.dmp

Filesize
408KB

Download
memory/1924-3-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-10-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download