Analysis

  • max time kernel
    65s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 13:11

General

  • Target

    d414cbb604967fdf6528b8b81704f104eb25a216380d218c1a2f81a77ffdd278.exe

  • Size

    2.8MB

  • MD5

    063eed374f3ad4b1e03c303814f6cc16

  • SHA1

    1241a7ec97a4304115c5cdd96a155f9248fbe072

  • SHA256

    d414cbb604967fdf6528b8b81704f104eb25a216380d218c1a2f81a77ffdd278

  • SHA512

    a66a4158a020ea7d1e5f04f8202db2c09228cca6bed91d9ecb7b911c76b2e6616dd012336a1db66c4242d56482c1c556fa8a56b55f902873f4a19bf1db277bb1

  • SSDEEP

    49152:Kagm/5gx3bOQpjZpaoiK1Vyz8HoKE8RzulwuY+DE:KagmRgxawj6oiKdPZdulwuY+DE

Malware Config

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d414cbb604967fdf6528b8b81704f104eb25a216380d218c1a2f81a77ffdd278.exe
    "C:\Users\Admin\AppData\Local\Temp\d414cbb604967fdf6528b8b81704f104eb25a216380d218c1a2f81a77ffdd278.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2772-0-0x00000000009A0000-0x0000000000E9D000-memory.dmp

    Filesize

    5.0MB

  • memory/2772-1-0x0000000076F50000-0x0000000076F52000-memory.dmp

    Filesize

    8KB

  • memory/2772-2-0x00000000009A1000-0x00000000009B8000-memory.dmp

    Filesize

    92KB

  • memory/2772-3-0x00000000009A0000-0x0000000000E9D000-memory.dmp

    Filesize

    5.0MB

  • memory/2772-4-0x00000000009A0000-0x0000000000E9D000-memory.dmp

    Filesize

    5.0MB