stealc | 94215092f8c5b6b91c39458b51665a3cd62c35706ad8c2908d7eb6d74d17702b

General

Target

Setup.exe
Size

98.2MB
MD5

c681f05fe3025f3a23833da6e100ba9d
SHA1

7e862b1895561bc3aca9595210276b0f6597636a
SHA256

94215092f8c5b6b91c39458b51665a3cd62c35706ad8c2908d7eb6d74d17702b
SHA512

106d6d41738691fa6fe49ae313bc2d85fa8d7a7dd8283899aa01c6d056053a23d5bf569af601a42c65eca2bdee334af65fd745cfbf26c67b4a1eb6f1fe9158d3
SSDEEP

12288:upjQGbC5X/m4WTfzf2ugUNkYn40lhETt3EqEELHZIQnlT1H:kjLmXRyfTNfNki/ktUqEEL5IO

Score

10^/10

stealc 670052684 discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

670052684

C2

http://178.63.148.7

Attributes

url_path
/875489374a8fad8f.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Loads dropped DLL 2 IoCs

pid	Process
2716	Setup.exe
3376	MSBuild.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 3376	2716	Setup.exe	83
PID 3376 set thread context of 3332	3376	MSBuild.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 2716 wrote to memory of 3376	2716	Setup.exe	83
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84
PID 3376 wrote to memory of 3332	3376	MSBuild.exe	84

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
625KB

MD5
b3d94421e2b58e3f439e5a98637962af

SHA1
c8d54b23bb58962d6a428371953e1d0ab36d5987

SHA256
c21e28073425ea6fd725c176beb617589562d41819fd909383223176113c56f5

SHA512
935979ed19747ea79f4b91681d3769acd369ef3261d3251570e203f1644041516db486bfc91dbf055441a5b1798d9ed2002728537d83fcdfec8179f5cbc5943e

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
582KB

MD5
fc75d66b8daf935a4bee91d24f3609c3

SHA1
b34ef2128e4c36bf6fcc09af08bcef50d35e0227

SHA256
7adc248b5efc0cceb3a2e4540dab54a6a4dec434950443342657c99c4dc18952

SHA512
a6eaafab8224c158b9772edfed9934f7dfecc231c393382643cb67ac0283596156479a63a9b6f8824d5f2bf9943ff60a7fbc209896f6730b3b8c66d6adc91608

Download Submit
memory/2716-13-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2716-3-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2716-2-0x00000000050F0000-0x00000000050F6000-memory.dmp

Filesize
24KB

Download
memory/2716-1-0x0000000000770000-0x00000000007FE000-memory.dmp

Filesize
568KB

Download
memory/2716-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2716-15-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3332-54-0x0000000000920000-0x0000000000B81000-memory.dmp

Filesize
2.4MB

Download
memory/3332-55-0x0000000000920000-0x0000000000B81000-memory.dmp

Filesize
2.4MB

Download
memory/3332-51-0x0000000000920000-0x0000000000B81000-memory.dmp

Filesize
2.4MB

Download
memory/3332-53-0x0000000000920000-0x0000000000B81000-memory.dmp

Filesize
2.4MB

Download
memory/3332-47-0x0000000000920000-0x0000000000B81000-memory.dmp

Filesize
2.4MB

Download
memory/3376-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-29-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-32-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-36-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-38-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-31-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-17-0x0000000001590000-0x0000000001596000-memory.dmp

Filesize
24KB

Download
memory/3376-12-0x0000000000B80000-0x0000000000BE2000-memory.dmp

Filesize
392KB

Download
memory/3376-10-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-46-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-39-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-35-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-27-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-26-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-24-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-23-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-22-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-21-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-19-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-18-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-20-0x0000000000B80000-0x0000000000BF1000-memory.dmp

Filesize
452KB

Download
memory/3376-56-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing