stealc | 659105f9979080268a507838e1d430a5bdef56cb3396c3664a1054a9e10e1315

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe
Size

4.9MB
MD5

d42425152d3e62f9c85a527fe6ac015e
SHA1

757b445c90811ead7d68db757095ca8952c30f2e
SHA256

659105f9979080268a507838e1d430a5bdef56cb3396c3664a1054a9e10e1315
SHA512

426bdf35cc283727dc37be15074ddb675eae7e94463e2f635eb9c649095eaa8eb1fad0c491015c720b4b014ca9d580e0b53f3a82a6834813e0281ca333ba8d87
SSDEEP

24576:JcTklsKtO7PM7GC9YJM44hLqWknqYkMN46emXhR0GZcDwnV7JCqr8gq25GrL7O9N:J9FtN7YQhLqSPM7xv7b1urE5zn5

Score

10^/10

stealc discovery stealer

Malware Config

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2912	1088	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2912	1088	2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe	31
PID 1088 wrote to memory of 2912	1088	2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe	31
PID 1088 wrote to memory of 2912	1088	2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe	31
PID 1088 wrote to memory of 2912	1088	2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe	31

C:\Users\Admin\AppData\Local\Temp\2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\2084-0-0x0000000000810000-0x0000000000CF7000-memory.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 36
  2⤵
  - Program crash
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x0000000001440000-0x0000000001927000-memory.dmp

Filesize
4.9MB

Download