stealerium | 1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04

General

Target

filw.exe
Size

6.1MB
MD5

a5dc5dfb3d20c67a35c1ee67e010fc7b
SHA1

94694b8cf4d9558014f78037e1fd6fcfe4ddd4e3
SHA256

1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04
SHA512

e8c552eff3537974ef552cf500f7c1060c5bff409fdc8ff34f98544f27afa86fb15edd0930a3b9a699977c452c2115697354772d1b4e0f095744cf7491cc9a48
SSDEEP

196608:RaiSkSIlLTUcwti7TQl2NgVg01MWAXAkuujCPX9YG9he5GnQCAJKN:QkSopwtQQl2aOtXADu8X9Y95GQLJ

Score

10^/10

stealerium discovery stealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Downloads MZ/PE file 1 IoCs

flow	pid	Process
55	3456	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation	filw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4348	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3748	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2192	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	filw.exe
Token: SeDebugPrivilege	2192	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3992	4996	filw.exe	99
PID 4996 wrote to memory of 3992	4996	filw.exe	99
PID 3992 wrote to memory of 2268	3992	cmd.exe	101
PID 3992 wrote to memory of 2268	3992	cmd.exe	101
PID 3992 wrote to memory of 2192	3992	cmd.exe	102
PID 3992 wrote to memory of 2192	3992	cmd.exe	102
PID 3992 wrote to memory of 3748	3992	cmd.exe	103
PID 3992 wrote to memory of 3748	3992	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\filw.exe
"C:\Users\Admin\AppData\Local\Temp\filw.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f826f86d-d539-4f88-b906-950e927b1a29.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2268
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 4996
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3748

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkVFMEJBMEUtRDM4NS00QUFDLUFGODYtQUVFODQxMzU4MzhCfSIgdXNlcmlkPSJ7N0M3Q0Q2RkEtOUIxOS00MTBFLUJCMjktNzY0QzhGQ0RGNjgyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUU1RTc3OEItQkE0OC00NTczLTlEMDEtRUI0QjkzMEI1Q0EyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjU5ODI5MzAyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
523fed03d36b87b87567db9112768bd4

SHA1
2be85dd098e2a79fffa79d8eeed633c17be077d0

SHA256
533fa180ea9c46dc3fac250d351ae5a4388d329a1857d281e017e3c9a5c568fe

SHA512
79440b6228b240d86ddf939afb9884787883ff6b74f66efbb63915a9a3141b1998990e48d50f9b0a7dba455d47e191a08abe2b1ae1357a2f6b75240850d5998d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f826f86d-d539-4f88-b906-950e927b1a29.bat

Filesize
152B

MD5
b1f9176790974e850585122fc43b6afb

SHA1
0dfd767284ecd601ba3c52fc4d21ef424140dcb6

SHA256
b89de1676b9fc92a0a6efc55465014f2e6ddb85386e7ae19758f66e7f1f98386

SHA512
59a236e2f4faf9d4550f09cea6a7272e49c79fcc2998eaf16772c2d3774b255e72b20f80334b7d99e904b88217e3e49bb6ced24457ccdfec29bc9e4635129a02

Download Submit
memory/4996-0-0x00007FF8DE023000-0x00007FF8DE025000-memory.dmp

Filesize
8KB

Download
memory/4996-1-0x000001BEF8090000-0x000001BEF86A8000-memory.dmp

Filesize
6.1MB

Download
memory/4996-2-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-38-0x00007FF8DE023000-0x00007FF8DE025000-memory.dmp

Filesize
8KB

Download
memory/4996-39-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-50-0x00007FF8DE020000-0x00007FF8DEAE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing