stealc | 0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe
Size

6.2MB
MD5

0ffda94b68c7028111e5981ae87cbff4
SHA1

716337b963c32cbd9839e460f0ff22357a2fe22c
SHA256

0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff
SHA512

b87fd54fb251d7d7e294fabb5ed12228665b2005674ea8dc06d46ae99eba50dc6c9c4df9379e1a83b4d65ac68e2bf91bf25bd76edf6b914b991b95d5810be2d9
SSDEEP

98304:59df0IDlQ+i1VS7wbMTwavsJB1NfYfztrrBsZtRsD16HVMlJN86G0:t0ai1wUI9c1+BmZ3s5KA8K

Score

10^/10

stealc logsdiller credential_access discovery spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

LogsDiller

http://185.219.81.132

Attributes

url_path
/1089481c07d09d21.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1812	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4680	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe
4680	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 220	4680	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe	82
PID 4680 wrote to memory of 220	4680	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe	82
PID 4680 wrote to memory of 220	4680	0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe	82
PID 220 wrote to memory of 1812	220	cmd.exe	84
PID 220 wrote to memory of 1812	220	cmd.exe	84
PID 220 wrote to memory of 1812	220	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0bbec756d66bba49a77f73a90a6360e930305982462c1ecf6120bfd47d0d14ff_Sigmanly.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4680-0-0x00000000007E0000-0x0000000001347000-memory.dmp

Filesize
11.4MB

Download