Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 15:42 UTC

General

  • Target

    2c076e48bff5fb538be86fcfdc8c1657613200cdaa27fa0e8a6f8e46d2aa9589.exe

  • Size

    1.7MB

  • MD5

    026de52964103c3f11b72d6e321d5971

  • SHA1

    33c73f71ef01e964ef44a778d0c76f6aadedc1b2

  • SHA256

    2c076e48bff5fb538be86fcfdc8c1657613200cdaa27fa0e8a6f8e46d2aa9589

  • SHA512

    32528baaf8472978bb2cda82b5988103fb94555baf22e2c9044ca46e2b193b6e8eb37aeb77f9a2a8557c581767746705d318ea8fb378786ad56b7c33442e55f8

  • SSDEEP

    49152:tUAG/BeGcy0GOOusWV2N6YYH+BEUqfj2uGkW:tUfe5y9Bfs/+BEUwW

Malware Config

Extracted

Family

stealc

Botnet

brat

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c076e48bff5fb538be86fcfdc8c1657613200cdaa27fa0e8a6f8e46d2aa9589.exe
    "C:\Users\Admin\AppData\Local\Temp\2c076e48bff5fb538be86fcfdc8c1657613200cdaa27fa0e8a6f8e46d2aa9589.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1480
      2⤵
      • Program crash
      PID:4756
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 680 -ip 680
    1⤵
      PID:728

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      218.158.40.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      218.158.40.23.in-addr.arpa
      IN PTR
      Response
      218.158.40.23.in-addr.arpa
      IN PTR
      a23-40-158-218deploystaticakamaitechnologiescom
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.139.73.23.in-addr.arpa
      IN PTR
      Response
      24.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      210.156.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      210.156.23.2.in-addr.arpa
      IN PTR
      Response
      210.156.23.2.in-addr.arpa
      IN PTR
      a2-23-156-210deploystaticakamaitechnologiescom
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 185.215.113.206:80
      2c076e48bff5fb538be86fcfdc8c1657613200cdaa27fa0e8a6f8e46d2aa9589.exe
      260 B
      5
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      218.158.40.23.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      218.158.40.23.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
      160 B
      1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      24.139.73.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      24.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      210.156.23.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      210.156.23.2.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/680-0-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-1-0x0000000077194000-0x0000000077196000-memory.dmp

      Filesize

      8KB

    • memory/680-2-0x00000000002F1000-0x0000000000308000-memory.dmp

      Filesize

      92KB

    • memory/680-3-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-4-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-5-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-6-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-7-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    • memory/680-8-0x00000000002F0000-0x000000000098C000-memory.dmp

      Filesize

      6.6MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.