Malware Analysis Report

2024-12-01 03:05

Sample ID 241111-jdrheawajl
Target stealer.exe
SHA256 f22d2c21fddbe9b5bc017a22079fe17dfc26601b837cf30541847b401ae5d4d7
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f22d2c21fddbe9b5bc017a22079fe17dfc26601b837cf30541847b401ae5d4d7

Threat Level: Shows suspicious behavior

The file stealer.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:33

Reported

2024-11-11 07:37

Platform

win11-20241007-en

Max time kernel

213s

Max time network

215s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
CZ 194.15.112.248:443 oshi.at tcp
US 143.244.215.221:443 file.io tcp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe

MD5 d9efb581e34742cc7883ad4133ad7c5e
SHA1 e021f9df7fbbb86720a1f2cbbee01349f626fe61
SHA256 47f4634533a48744f8bdc5b34d0eed86f8750e9eac42447ccf1d73bde09e6e5e
SHA512 7eb04e425685155f53825fb24429c57ca396fedc69979dc71b9c67e4db76dbc0429208adda614272e9f8c93f5a74b174486b01392334c74fb02dae9ab540409b

memory/244-28-0x00000000730AE000-0x00000000730AF000-memory.dmp

memory/244-29-0x00000000003A0000-0x0000000000426000-memory.dmp

memory/244-30-0x00000000730A0000-0x0000000073851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll

MD5 a999d7f3807564cc816c16f862a60bbe
SHA1 1ee724daaf70c6b0083bf589674b6f6d8427544f
SHA256 8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA512 6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

memory/244-34-0x0000000005DC0000-0x0000000005E3A000-memory.dmp

memory/244-35-0x0000000006640000-0x0000000006802000-memory.dmp

memory/244-37-0x0000000006000000-0x0000000006050000-memory.dmp

memory/244-36-0x00000000062A0000-0x0000000006316000-memory.dmp

memory/244-38-0x0000000007140000-0x000000000766C000-memory.dmp

memory/244-39-0x0000000006280000-0x000000000629E000-memory.dmp

memory/244-44-0x00000000730AE000-0x00000000730AF000-memory.dmp

memory/244-45-0x00000000730A0000-0x0000000073851000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\temp4821687326874_xeno.zip

MD5 73dfe6e27af2d0f9e9b051c66c041f98
SHA1 406027e2db1242c22c3e1a6bed730d8fcd05d4e1
SHA256 8e06dfec0dbaa2a00b14019d4ea222f6a007336f0e4e43d638b541b1280fab9e
SHA512 ee2522cf27a7b0f166641c6604787bab9c71f6e0a94cb38ed5313afb61718cb4c484ee64a6f7796c0667c240c4d154a3289ae5654ffcb4e5f7312f42f7d5cdab