7c7bd6b6eae68733dba57de0fd87f64efa1b95a574d62a878296d87f9512d0d7

General

Target

Stellar.exe
Size

6.1MB
MD5

f034b97fd20e082477a3bc36d941cbf4
SHA1

6e1b18afe72f9060983cb53bcf2e858b7517e0aa
SHA256

7c7bd6b6eae68733dba57de0fd87f64efa1b95a574d62a878296d87f9512d0d7
SHA512

dfa3b17102c47577e07f5bd0a585f85d558b8eaa54bc783342bd6f81a14b861fd260674e039abf16e39d4dc7a9c4a6b352c3f53b64086c00d624727cda43cb9f
SSDEEP

196608:RaiSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:QkSopwtQQl2aOtXADu8X9Y95GQLJ

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
4	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2732	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1060	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	Stellar.exe
Token: SeDebugPrivilege	1060	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1568	3064	Stellar.exe	31
PID 3064 wrote to memory of 1568	3064	Stellar.exe	31
PID 3064 wrote to memory of 1568	3064	Stellar.exe	31
PID 1568 wrote to memory of 2800	1568	cmd.exe	33
PID 1568 wrote to memory of 2800	1568	cmd.exe	33
PID 1568 wrote to memory of 2800	1568	cmd.exe	33
PID 1568 wrote to memory of 1060	1568	cmd.exe	34
PID 1568 wrote to memory of 1060	1568	cmd.exe	34
PID 1568 wrote to memory of 1060	1568	cmd.exe	34
PID 1568 wrote to memory of 2732	1568	cmd.exe	35
PID 1568 wrote to memory of 2732	1568	cmd.exe	35
PID 1568 wrote to memory of 2732	1568	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\Stellar.exe
"C:\Users\Admin\AppData\Local\Temp\Stellar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0e6cd5f1-c391-4e50-a97e-802549e9010f.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2800
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 3064
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e6cd5f1-c391-4e50-a97e-802549e9010f.bat

Filesize
152B

MD5
0110aee57c88995d7f35b930761bdff5

SHA1
39f2bb45fc97062e139979c2ecba11076bee368e

SHA256
ea24c18ca8196ddd997f858eefe34fb328926eca3bdffaeaf445212310f7202e

SHA512
98fd5a86b0af40a6536df61c885bddc14725d0b98dc047bc048df3ec6d207d8fea573c16359c5de2b2336a7bbc575dd1c08a5292dc2ece24df96b2f9a8a4a2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7FAD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
f287ecfcb47aa19aa77b8c0fade3e284

SHA1
ceec3bcd24268e212c977b51740edc3ef2b71652

SHA256
a10597bffc69f385e9ae7b6cf415fd5cbe3b160d721d6990ff735338dc364a73

SHA512
954971df78be95bf872521c2bb4e57a5e08555033579f1d55f438f31d4aa4210f56d9a7dc2ce5cd5bb07fefd635acf75f19db9f061aeb6a3970166b7019045d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
f31127dd3ba95b8fda17bc86db90932c

SHA1
5b7f4dd7e9a743b1b9c52fe74b4775439e86da2b

SHA256
f9c5c17f6cd960d0f939e1101dcd06bf1426269161e2daca9bdddb91a29ad486

SHA512
642aebc1d7371901d1f90251c13512e6c17fc4c34172533eea886338cbe41b1b854ba380cfb69b0a52eb5cba01738d1da72ced00fef73a3677fbe1645e898cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar805C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/3064-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x00000000010F0000-0x0000000001708000-memory.dmp

Filesize
6.1MB

Download
memory/3064-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-170-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/3064-199-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-317-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing