stealc | 9c5e934b2d1a0a5a97c8f46c1dad1c127fa54ff12f658c748666e7d368a1d4ba

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1520-46-0x0000000000F10000-0x000000000140D000-memory.exe
Size

5.0MB
MD5

f88b8b2eeb9c97f12727dc30b5e533b7
SHA1

886217eb34a48329dbb8be2b2088146ffa22086e
SHA256

9c5e934b2d1a0a5a97c8f46c1dad1c127fa54ff12f658c748666e7d368a1d4ba
SHA512

f4eb54797255ccc74d2c4e3f35e7435186e42c73f2a4c7369e5636bb447f51222d62492b5d8d6029be664bce45ef3fc12d6fc7ca3b88958d17000a9e4d702f99
SSDEEP

49152:IHx2Y/JerNUDz7zu4YRB0xNCxkZF27NwZRso5q6:u2Y/JerNUDz7zuhRiNC2AN

Score

10^/10

stealc discovery stealer

Malware Config

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	3004	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1520-46-0x0000000000F10000-0x000000000140D000-memory.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2632	3004	1520-46-0x0000000000F10000-0x000000000140D000-memory.exe	30
PID 3004 wrote to memory of 2632	3004	1520-46-0x0000000000F10000-0x000000000140D000-memory.exe	30
PID 3004 wrote to memory of 2632	3004	1520-46-0x0000000000F10000-0x000000000140D000-memory.exe	30
PID 3004 wrote to memory of 2632	3004	1520-46-0x0000000000F10000-0x000000000140D000-memory.exe	30

C:\Users\Admin\AppData\Local\Temp\1520-46-0x0000000000F10000-0x000000000140D000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1520-46-0x0000000000F10000-0x000000000140D000-memory.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 36
  2⤵
  - Program crash
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-0-0x0000000000660000-0x0000000000B5D000-memory.dmp

Filesize
5.0MB

Download