stealerium | 2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c

Resubmissions

04-02-2025 15:52

250204-ta6g9szrg1 10

04-02-2025 15:27

250204-svsaps1rcr 10

Analysis

max time kernel
43s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pdf Reader.exe
Size

73KB
MD5

9d347d5ac998a89f78ba00e74b951f55
SHA1

73df3d5c8388a4d6693cbb24f719dba8833c9157
SHA256

2ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c
SHA512

3db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e
SSDEEP

384:ytBuEejMVr2gy0mK1SvySYS4SRmbESgSNSsiKjHxqD4fpBSIxoI2AAgz:y+EjXQL6SYS4SRmbESgSNSsiQJxBSQH

Score

10^/10

stealerium discovery stealer

Malware Config

Extracted

Family

stealerium

https://api.telegram.org/bot6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM/sendMessage?chat_id=-4224073938

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Downloads MZ/PE file 1 IoCs

flow	pid	Process
20	3164	Pdf Reader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	SecurityHealthHost.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	SecurityHealthHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com
19	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdf Reader.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3840	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2488	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	Pdf Reader.exe
Token: SeDebugPrivilege	3604	SecurityHealthHost.exe
Token: SeDebugPrivilege	2488	taskkill.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3604	3164	Pdf Reader.exe	90
PID 3164 wrote to memory of 3604	3164	Pdf Reader.exe	90
PID 3604 wrote to memory of 2688	3604	SecurityHealthHost.exe	92
PID 3604 wrote to memory of 2688	3604	SecurityHealthHost.exe	92
PID 2688 wrote to memory of 4716	2688	cmd.exe	94
PID 2688 wrote to memory of 4716	2688	cmd.exe	94
PID 2688 wrote to memory of 2488	2688	cmd.exe	95
PID 2688 wrote to memory of 2488	2688	cmd.exe	95
PID 2688 wrote to memory of 3840	2688	cmd.exe	96
PID 2688 wrote to memory of 3840	2688	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Pdf Reader.exe
"C:\Users\Admin\AppData\Local\Temp\Pdf Reader.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\caecb329-86eb-4871-9c5e-5dcbb906ded9.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3604
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control