stealc | ad277a48c7c67f5510e0d2b28284f631f9e51dd7da53ed9e4da8dec0078d9aa0

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

503KB
MD5

926dd9e88e2ac846eaf3c23ef8208cdf
SHA1

95e642c98048b718b948425e39a746d66d0dd4db
SHA256

ad277a48c7c67f5510e0d2b28284f631f9e51dd7da53ed9e4da8dec0078d9aa0
SHA512

ff5c31b9ffe58b88983ba2c2f8f2195c454fe69f05a9d5a40aa90227461fb3a1994c778b026a723715ab5d3664702f47df84336afd5b495cd258a1514f75eb30
SSDEEP

12288:sA4gyTSwAN2kL0PPJHBlOyLwFrpOu6VSlC8OIlr7v:sxgFN2kL03HlpLwFrpOu6qC83r7v

Score

10^/10

stealc logsdiller1 discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

LogsDiller1

http://109.107.157.132

Attributes

url_path
/7a5d4e643b804e99.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2928	2756	file.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1776	2756	file.exe	83
PID 2756 wrote to memory of 1776	2756	file.exe	83
PID 2756 wrote to memory of 1776	2756	file.exe	83
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84
PID 2756 wrote to memory of 2928	2756	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-0-0x000000000008D000-0x000000000008E000-memory.dmp

Filesize
4KB

Download
memory/2928-1-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2928-3-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2928-4-0x0000000000050000-0x00000000000CF000-memory.dmp

Filesize
508KB

Download