stealerium | 1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04

General

Target

filw.exe
Size

6.1MB
MD5

a5dc5dfb3d20c67a35c1ee67e010fc7b
SHA1

94694b8cf4d9558014f78037e1fd6fcfe4ddd4e3
SHA256

1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04
SHA512

e8c552eff3537974ef552cf500f7c1060c5bff409fdc8ff34f98544f27afa86fb15edd0930a3b9a699977c452c2115697354772d1b4e0f095744cf7491cc9a48
SSDEEP

196608:RaiSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:QkSopwtQQl2aOtXADu8X9Y95GQLJ

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
796	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2592	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	filw.exe
Token: SeDebugPrivilege	2592	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1508	2100	filw.exe	31
PID 2100 wrote to memory of 1508	2100	filw.exe	31
PID 2100 wrote to memory of 1508	2100	filw.exe	31
PID 1508 wrote to memory of 2536	1508	cmd.exe	33
PID 1508 wrote to memory of 2536	1508	cmd.exe	33
PID 1508 wrote to memory of 2536	1508	cmd.exe	33
PID 1508 wrote to memory of 2592	1508	cmd.exe	34
PID 1508 wrote to memory of 2592	1508	cmd.exe	34
PID 1508 wrote to memory of 2592	1508	cmd.exe	34
PID 1508 wrote to memory of 796	1508	cmd.exe	35
PID 1508 wrote to memory of 796	1508	cmd.exe	35
PID 1508 wrote to memory of 796	1508	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\filw.exe
"C:\Users\Admin\AppData\Local\Temp\filw.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2b293627-ffb2-46e5-9602-50cab053f996.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 2100
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2b293627-ffb2-46e5-9602-50cab053f996.bat

Filesize
152B

MD5
49b98d97b1ca0be41ae792f7015edeec

SHA1
836e46a514580a2a2e42fc4f3e891257e13e7eaa

SHA256
792202a0a272e950cfab4ea4314163f1c2a27b98281f6dc3693b9a2e86f20ad5

SHA512
db39929863b73ed88e94b081366ba7fef19ccdc144202cf908297b0e2f6d87abf173bf1bddeca6e9b3b6bd524b85ac79ea89bfaddefd562103cdb137df9478bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D62.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
a4a1d7c1b109f6597301c146dc6778cc

SHA1
c0ff626cdc667264a47383d0daacfb2510514dc5

SHA256
f3d1bacc781c774808bc089bb76945d43846f7562d7cfdb4900ce322d986d4bd

SHA512
145d78a0a370c555a680da90036800412bed6b1b8fc29a1d7191621377013a839a55005b138ff3120beb15ade78da7faabb8d1a90eea7838a037adf7752e0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2100-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000850000-0x0000000000E68000-memory.dmp

Filesize
6.1MB

Download
memory/2100-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-3-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-13-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-208-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing