Analysis Overview
SHA256
f22d2c21fddbe9b5bc017a22079fe17dfc26601b837cf30541847b401ae5d4d7
Threat Level: Shows suspicious behavior
The file stealer.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 07:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 07:33
Reported
2024-11-11 07:37
Platform
win11-20241007-en
Max time kernel
213s
Max time network
215s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe |
| PID 4496 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe |
| PID 4496 wrote to memory of 244 | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\stealer.exe
"C:\Users\Admin\AppData\Local\Temp\stealer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| CZ | 194.15.112.248:443 | oshi.at | tcp |
| US | 143.244.215.221:443 | file.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\stealer.exe
| MD5 | d9efb581e34742cc7883ad4133ad7c5e |
| SHA1 | e021f9df7fbbb86720a1f2cbbee01349f626fe61 |
| SHA256 | 47f4634533a48744f8bdc5b34d0eed86f8750e9eac42447ccf1d73bde09e6e5e |
| SHA512 | 7eb04e425685155f53825fb24429c57ca396fedc69979dc71b9c67e4db76dbc0429208adda614272e9f8c93f5a74b174486b01392334c74fb02dae9ab540409b |
memory/244-28-0x00000000730AE000-0x00000000730AF000-memory.dmp
memory/244-29-0x00000000003A0000-0x0000000000426000-memory.dmp
memory/244-30-0x00000000730A0000-0x0000000073851000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DotNetZip.dll
| MD5 | a999d7f3807564cc816c16f862a60bbe |
| SHA1 | 1ee724daaf70c6b0083bf589674b6f6d8427544f |
| SHA256 | 8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3 |
| SHA512 | 6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414 |
memory/244-34-0x0000000005DC0000-0x0000000005E3A000-memory.dmp
memory/244-35-0x0000000006640000-0x0000000006802000-memory.dmp
memory/244-37-0x0000000006000000-0x0000000006050000-memory.dmp
memory/244-36-0x00000000062A0000-0x0000000006316000-memory.dmp
memory/244-38-0x0000000007140000-0x000000000766C000-memory.dmp
memory/244-39-0x0000000006280000-0x000000000629E000-memory.dmp
memory/244-44-0x00000000730AE000-0x00000000730AF000-memory.dmp
memory/244-45-0x00000000730A0000-0x0000000073851000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp4821687326874_xeno.zip
| MD5 | 73dfe6e27af2d0f9e9b051c66c041f98 |
| SHA1 | 406027e2db1242c22c3e1a6bed730d8fcd05d4e1 |
| SHA256 | 8e06dfec0dbaa2a00b14019d4ea222f6a007336f0e4e43d638b541b1280fab9e |
| SHA512 | ee2522cf27a7b0f166641c6604787bab9c71f6e0a94cb38ed5313afb61718cb4c484ee64a6f7796c0667c240c4d154a3289ae5654ffcb4e5f7312f42f7d5cdab |