stealerium | ae49d51ca93adebeea1eae0fe3645809fe91671f63b2c8f2569a035d6ae7d38b

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse Launcher.exe
Size

15.7MB
MD5

9507d05f0d2f28149eec1930c1031d94
SHA1

32cc7a5f1f043ed0c10cac788abf5c0801c6cc4c
SHA256

87c21992315d51ffe777184589055ba8da61e193a5b496aeda1c2984937334d2
SHA512

967beb46fff00131676ed61fe136ec91b1d77d852e6ba2e9879eacd774680ad3dc5b4705a595a31d7625809f884578d9ee9452c463ecefe85d8df191c1e4c4b6
SSDEEP

393216:G64ns61cIWoFWPpWku6bVhJ6QnlOlc1BLqrWurzVYzDLHsofoh:G64nFcop6JPnlT1Rqq+WzEf

Score

10^/10

stealerium defense_evasion discovery pyinstaller stealer upx

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1059257026649280543/pk0Jr6z_TpQHEIIqtC9uR_BXeOTj2oOHhRtZbXcbitjoBYmv2qddw8tGVRZU7umUF1ha

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Executes dropped EXE 4 IoCs

pid	Process
2704	build.exe
2144	main.exe
2648	main.exe
1260	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
1072	Synapse Launcher.exe
1072	Synapse Launcher.exe
2144	main.exe
2648	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/files/0x000500000001c8be-104.dat	upx
behavioral9/memory/2648-106-0x000007FEF5E20000-0x000007FEF628E000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral9/files/0x0005000000019f8a-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synapse Launcher.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2244	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
636	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	powershell.exe
2704	build.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2704	build.exe
Token: SeDebugPrivilege	636	taskkill.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2756	1072	Synapse Launcher.exe	30
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2704	1072	Synapse Launcher.exe	32
PID 1072 wrote to memory of 2144	1072	Synapse Launcher.exe	33
PID 1072 wrote to memory of 2144	1072	Synapse Launcher.exe	33
PID 1072 wrote to memory of 2144	1072	Synapse Launcher.exe	33
PID 1072 wrote to memory of 2144	1072	Synapse Launcher.exe	33
PID 2144 wrote to memory of 2648	2144	main.exe	34
PID 2144 wrote to memory of 2648	2144	main.exe	34
PID 2144 wrote to memory of 2648	2144	main.exe	34
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 2704 wrote to memory of 1776	2704	build.exe	36
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 2080	1776	cmd.exe	38
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 636	1776	cmd.exe	39
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40
PID 1776 wrote to memory of 2244	1776	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAeAB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AagB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGUAIABhAHAAcABsAGkAYwBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAgAHQAbwAgAHMAdABhAHIAdAAgAGIAZQBjAGEAdQBzAGUAIABuAG8AIABRAHQAIABwAGwAYQB0AGYAbwByAG0AIABwAGwAdQBnAGkAbgAgAGMAbwB1AGwAZAAgAGIAZQAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAZAAuACAAUgBlAGkAbgBzAHQAYQBsAGwAaQBuAGcAIAB0AGgAZQAgAGEAcABwAGwAaQBjAGEAdABpAG8AbgAgAG0AYQB5ACAAZgBpAHgAIAB0AGgAaQBzACAAcAByAG8AYgBsAGUAbQAuACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB1AHEAcQAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Users\Admin\AppData\Roaming\build.exe
  "C:\Users\Admin\AppData\Roaming\build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp51D8.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
  - - C:\Windows\SysWOW64\taskkill.exe
      TaskKill /F /IM 2704
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\timeout.exe
      Timeout /T 2 /Nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2244
- C:\Users\Admin\AppData\Local\main.exe
  "C:\Users\Admin\AppData\Local\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\main.exe
    "C:\Users\Admin\AppData\Local\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21442\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp51D8.tmp.bat

Filesize
57B

MD5
6ad176a928fa3cd2fdc12806b7e61461

SHA1
c3eac2068660ac94b5bff864d8f23c59b81b1f34

SHA256
1a31d26b52ca62f1c91d12de8c2544cc6d5e989fb3e4c4efbbd44e1c1821522d

SHA512
ab846a1b3aeae3aa73b8ce54daa73ef52ebbfe2fc55131f0617996c636965689c06f9af071c538e9c5f756e8116bbcaf60b13e762efe2578d5027b576acfe1d4

Download Submit
\Users\Admin\AppData\Local\main.exe

Filesize
13.9MB

MD5
bcaa8bcf022e00512e59cc97e00ceb01

SHA1
5c6251ebe9c038144a25510f0a3d2da015fa7f53

SHA256
73879556ea54c70a5c18448e4829582f5b9a9dce37a1af4ed77d1e06da47d231

SHA512
b048ad6e2c91d32c2d6bb68828fc8a19662c5190244d49254ee49a19e46dd9f78213bcd66a52b7c177ba11bd668b625285b066f16dfa060aea44ee2b17c956f4

Download Submit
\Users\Admin\AppData\Roaming\build.exe

Filesize
1.5MB

MD5
7f43a0507a95f5297610efab2298639a

SHA1
56193022af2153fcbcde44e0ea72830f147cea67

SHA256
bf543112cc1ccdfe53c26ebf0da35054dade5d5b037a5bbb835a05e798641a64

SHA512
a51277dbb068b1d050bcb9ee3fa79b365a0640f3062e87607e13566b514bfeedeaaf0f101a5b4273a65efbaf25a99d26707635b0f04cc85e3b503b82f27f1134

Download Submit
memory/2648-106-0x000007FEF5E20000-0x000007FEF628E000-memory.dmp

Filesize
4.4MB

Download
memory/2704-107-0x0000000000E40000-0x0000000000FC4000-memory.dmp

Filesize
1.5MB

Download