stealc | ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe
Size

5.1MB
MD5

0d8ef911a6f021a7fc2526f492ce13f0
SHA1

21d3e348c2e291fbdcd2ed3eb5dd514c4979ddef
SHA256

ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6
SHA512

9228c3dfdffcbbd5161db449ba9f9518350f87cdcd91dc916b50c0a661d3bc10acebb63fa6f9c7c39b2f30fa98e29c741a10f262cb61d08fbc9da13c941da032
SSDEEP

49152:Q7JJ4RU7l4c+UDsn26xTVNpfYMlODRBQ3EYiBLwFOeI:Q1SRUpf+Ws5YMlA43YBLwFxI

Score

10^/10

stealc drum discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	2400	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2396	2400	ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe	30
PID 2400 wrote to memory of 2396	2400	ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe	30
PID 2400 wrote to memory of 2396	2400	ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe	30
PID 2400 wrote to memory of 2396	2400	ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe	30

C:\Users\Admin\AppData\Local\Temp\ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe
"C:\Users\Admin\AppData\Local\Temp\ed2070decb4423318b98442a422157e42cad8e572c56c69f83911f09551a84b6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 36
  2⤵
  - Program crash
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-0-0x0000000000400000-0x0000000000921000-memory.dmp

Filesize
5.1MB

Download