stealc | 4adede428b6bdfba962baae89274a4697e33f70fa4ee9265f2d945e83e408265

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c632322bff9d2562ebf7783cc411db8.exe
Size

419KB
MD5

4c632322bff9d2562ebf7783cc411db8
SHA1

f9a82d6aa7867b3e55907c8976ecdc564195ae8d
SHA256

4adede428b6bdfba962baae89274a4697e33f70fa4ee9265f2d945e83e408265
SHA512

f457d70ce849bd115c3e966f3460899cd84e8d062b0b68d33d47b536268972b977b155da017b8a3667d21cdc4eafeceb0ee1ba7693ebd18d66562883a36375d5
SSDEEP

6144:tm2uj3DmwiSj+Q/g2ygrx2h0jyG0clDM6oMYYub9hjD68u3h:cFL/9x2heyGdl997ub3+8u3

Score

10^/10

stealc default discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://92.255.57.89

Attributes

url_path
/45c616e921a794b8.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2648	41.tmp.exe

Loads dropped DLL 5 IoCs

pid	Process
2120	4c632322bff9d2562ebf7783cc411db8.exe
2120	4c632322bff9d2562ebf7783cc411db8.exe
2120	4c632322bff9d2562ebf7783cc411db8.exe
2120	4c632322bff9d2562ebf7783cc411db8.exe
2120	4c632322bff9d2562ebf7783cc411db8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c632322bff9d2562ebf7783cc411db8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41.tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2120	4c632322bff9d2562ebf7783cc411db8.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2120	4c632322bff9d2562ebf7783cc411db8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2648	2120	4c632322bff9d2562ebf7783cc411db8.exe	32
PID 2120 wrote to memory of 2648	2120	4c632322bff9d2562ebf7783cc411db8.exe	32
PID 2120 wrote to memory of 2648	2120	4c632322bff9d2562ebf7783cc411db8.exe	32
PID 2120 wrote to memory of 2648	2120	4c632322bff9d2562ebf7783cc411db8.exe	32

C:\Users\Admin\AppData\Local\Temp\4c632322bff9d2562ebf7783cc411db8.exe
"C:\Users\Admin\AppData\Local\Temp\4c632322bff9d2562ebf7783cc411db8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\41.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\41.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\41.tmp.exe

Filesize
296KB

MD5
d8ce5c15818144c17bbb3bf250494439

SHA1
f2e47e83562b755c8b867983e2633bf799e737fb

SHA256
351b08447b3ac2527ab994604bdd91e43044c962dc26de2ad12f2c46d1eacabd

SHA512
05baef07c671cb86c524c55b7cb5a710c92ca864447e2bf8f4044ad73a1c56c4cbee4d574faf6296b04d4981238a2e0c881de1d316047019ffc7d870bfe650ac

Download Submit
memory/2120-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2120-2-0x0000000002000000-0x0000000002065000-memory.dmp

Filesize
404KB

Download
memory/2120-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2120-17-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2120-19-0x0000000002000000-0x0000000002065000-memory.dmp

Filesize
404KB

Download
memory/2120-18-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2120-20-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2120-44-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2648-41-0x0000000000400000-0x0000000000822000-memory.dmp

Filesize
4.1MB

Download
memory/2648-42-0x0000000000400000-0x0000000000822000-memory.dmp

Filesize
4.1MB

Download
memory/2648-43-0x0000000000400000-0x0000000000822000-memory.dmp

Filesize
4.1MB

Download