stealc | 2a69f324a5524c24e3280c7d6e573ee0854ae8a6e12efe42f1c8cea50999ba74

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

6.8MB
MD5

acb755d083c876f6a80105c17cc61754
SHA1

8ccfc2b30402e76a59ed07873b0ccf589728fd22
SHA256

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
SHA512

2d26da0b24c61e05a66583b548672f00b4351c87669fb8b7e4e71a73da4a2c0e470d7c6aa8072976fe8ca2ac5ea6b75e41f54b426c0d1de06aa118a83283b70b
SSDEEP

196608:DzSpVt4hhiIbZg4T4hac7p6eDcGRY9Dc+/7/MS6a:DWp74hVbehacQeHwDc+/7zb

Score

10^/10

stealc workbaza discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

Workbaza

http://5.35.36.211

Attributes

url_path
/cadb6378d4b16104.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Loads dropped DLL 6 IoCs

pid	Process
1360	setup.exe
1360	setup.exe
1360	setup.exe
1360	setup.exe
1360	setup.exe
1360	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 1360	4928	setup.exe	83
PID 4928 wrote to memory of 1360	4928	setup.exe	83
PID 4928 wrote to memory of 1360	4928	setup.exe	83

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI49282\VCRUNTIME140.dll

Filesize
74KB

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\_ctypes.pyd

Filesize
114KB

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\_socket.pyd

Filesize
69KB

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\base_library.zip

Filesize
781KB

MD5
d214306a963d6db9dbe73c65d9b7c23e

SHA1
e42d3786f3ecf2cffee2ca2b7821973630431231

SHA256
5dd6afe3439d4eb8673de441ed980825919110abc2b1360c7a02a3cc365fcca8

SHA512
76601a39f1e84eaf3257a4989a45b6e2ee8492788239bb8f42729bfdbfbd3a50949295fd459ee4d9649fd16c3815740d7bf8152c4b707432a2a480ced711473c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\python39.dll

Filesize
4.3MB

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\select.pyd

Filesize
24KB

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
memory/1360-33-0x0000000012A30000-0x0000000012C74000-memory.dmp

Filesize
2.3MB

Download
memory/1360-34-0x0000000012A30000-0x0000000012C74000-memory.dmp

Filesize
2.3MB

Download
memory/1360-36-0x0000000012A30000-0x0000000012C74000-memory.dmp

Filesize
2.3MB

Download