Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 15:32

General

  • Target

    1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe

  • Size

    389KB

  • MD5

    35a50d146a389289bf8cf8ae60c9e785

  • SHA1

    eb94502d25789eb86dc160c2bc9be4b4a64131bd

  • SHA256

    0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791

  • SHA512

    9bfe09f5165fd43579d87f229ba4a17cc8af8d7fc50ed629de3ec93e1b8d94d9c6aac17f7a429b401f332623cef2178f0d0f1930b674cf1061d24225e5427ada

  • SSDEEP

    6144:blwLkykiFkeLnCUcx/IcoN6OpMW6rTBwEBKI7MUYbuYg785zg2di8DEO:bRiFHnC5m2TB+I70678dXi8DEO

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://85.28.47.101

Attributes
  • url_path

    /f3ee98d7eec07fb9.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
    "C:\Users\Admin\AppData\Local\Temp\1\0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:3660
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3180-1-0x0000000000400000-0x000000000063C000-memory.dmp

      Filesize

      2.2MB

    • memory/3180-3-0x0000000000400000-0x000000000063C000-memory.dmp

      Filesize

      2.2MB

    • memory/3180-4-0x0000000000400000-0x000000000063C000-memory.dmp

      Filesize

      2.2MB

    • memory/3180-5-0x0000000000400000-0x000000000063C000-memory.dmp

      Filesize

      2.2MB

    • memory/5024-0-0x0000000000F40000-0x0000000000F41000-memory.dmp

      Filesize

      4KB