Malware Analysis Report

2024-12-07 19:37

Sample ID 241114-k1zb7swkfw
Target 06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
SHA256 06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
Tags
stealc tale credential_access discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c

Threat Level: Known bad

The file 06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c was found to be: Known bad.

Malicious Activity Summary

stealc tale credential_access discovery evasion spyware stealer

Stealc

Stealc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks computer location settings

Deletes itself

Identifies Wine through registry keys

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 09:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 09:04

Reported

2024-11-14 09:07

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Reads data files stored by FTP clients

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe

"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
RU 185.215.113.206:80 185.215.113.206 tcp

Files

memory/3024-0-0x00000000011E0000-0x00000000018F7000-memory.dmp

memory/3024-1-0x0000000077600000-0x0000000077602000-memory.dmp

memory/3024-2-0x00000000011E1000-0x0000000001249000-memory.dmp

memory/3024-3-0x00000000011E0000-0x00000000018F7000-memory.dmp

\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/3024-8-0x00000000011E0000-0x00000000018F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 09:04

Reported

2024-11-14 09:07

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Reads data files stored by FTP clients

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe

"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.215.113.206:80 185.215.113.206 tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 206.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2520-0-0x0000000000540000-0x0000000000C57000-memory.dmp

memory/2520-1-0x0000000077274000-0x0000000077276000-memory.dmp

memory/2520-2-0x0000000000541000-0x00000000005A9000-memory.dmp

memory/2520-3-0x0000000000540000-0x0000000000C57000-memory.dmp

C:\ProgramData\chrome.dll

MD5 eda18948a989176f4eebb175ce806255
SHA1 ff22a3d5f5fb705137f233c36622c79eab995897
SHA256 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85

memory/2520-10-0x0000000000540000-0x0000000000C57000-memory.dmp