Analysis Overview
SHA256
06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
Threat Level: Known bad
The file 06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c was found to be: Known bad.
Malicious Activity Summary
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks computer location settings
Deletes itself
Identifies Wine through registry keys
Loads dropped DLL
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 09:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 09:04
Reported
2024-11-14 09:07
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe
"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
Files
memory/3024-0-0x00000000011E0000-0x00000000018F7000-memory.dmp
memory/3024-1-0x0000000077600000-0x0000000077602000-memory.dmp
memory/3024-2-0x00000000011E1000-0x0000000001249000-memory.dmp
memory/3024-3-0x00000000011E0000-0x00000000018F7000-memory.dmp
\ProgramData\chrome.dll
| MD5 | eda18948a989176f4eebb175ce806255 |
| SHA1 | ff22a3d5f5fb705137f233c36622c79eab995897 |
| SHA256 | 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4 |
| SHA512 | 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85 |
memory/3024-8-0x00000000011E0000-0x00000000018F7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 09:04
Reported
2024-11-14 09:07
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2520 wrote to memory of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2520 wrote to memory of 4688 | N/A | C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4688 wrote to memory of 2948 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4688 wrote to memory of 2948 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4688 wrote to memory of 2948 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe
"C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2520-0-0x0000000000540000-0x0000000000C57000-memory.dmp
memory/2520-1-0x0000000077274000-0x0000000077276000-memory.dmp
memory/2520-2-0x0000000000541000-0x00000000005A9000-memory.dmp
memory/2520-3-0x0000000000540000-0x0000000000C57000-memory.dmp
C:\ProgramData\chrome.dll
| MD5 | eda18948a989176f4eebb175ce806255 |
| SHA1 | ff22a3d5f5fb705137f233c36622c79eab995897 |
| SHA256 | 81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4 |
| SHA512 | 160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85 |
memory/2520-10-0x0000000000540000-0x0000000000C57000-memory.dmp