Overview

overview

10

Static

static

3

5ffb2e33be...21.exe

windows7-x64

10

5ffb2e33be...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521

  • Size

    2.7MB

  • Sample

    241224-r7bcaazngm

  • MD5

    d7593c78ec8bf3f98603559b67cb3ccd

  • SHA1

    4db5fb73dfc7d2067058437eb1e8b6d8da90f742

  • SHA256

    5ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521

  • SHA512

    69b1b4c1d2691a3fa85d6e04557761b28d8c0f57c1db5f4500a7166717323b1920a429e4c700dca6b5c0badeb40023bb1dfbcbed20040c72b185e0aaba0c8f1a

  • SSDEEP

    24576:nJk3pTsMXL4bn2uKL29RiU0SMW/N90YZBS9+iXQIjXPY/hVWHaD6M4DbmXm7e50K:nJaCn+6HxPi9+iXPXIluDbmX70eHd+8

Score
10/10
stealcstokdiscoveryevasionstealer

Malware Config

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Targets

    • Target

      5ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521

    • Size

      2.7MB

    • MD5

      d7593c78ec8bf3f98603559b67cb3ccd

    • SHA1

      4db5fb73dfc7d2067058437eb1e8b6d8da90f742

    • SHA256

      5ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521

    • SHA512

      69b1b4c1d2691a3fa85d6e04557761b28d8c0f57c1db5f4500a7166717323b1920a429e4c700dca6b5c0badeb40023bb1dfbcbed20040c72b185e0aaba0c8f1a

    • SSDEEP

      24576:nJk3pTsMXL4bn2uKL29RiU0SMW/N90YZBS9+iXQIjXPY/hVWHaD6M4DbmXm7e50K:nJaCn+6HxPi9+iXPXIluDbmX70eHd+8

    Score
    10/10
    stealcstokdiscoveryevasionstealer

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Stealc family

      stealc

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks