stealc | 204809d4ec414a7e31645f69d870fa8063a780e8aa574d4e70652249a6d27191

Analysis

max time kernel
120s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2025, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ca63a0cf09a33dcef786430c6184c4.exe
Size

898KB
MD5

e6ca63a0cf09a33dcef786430c6184c4
SHA1

da8bce6c67ecb86e8ed1aa9d90d9788424d7aada
SHA256

204809d4ec414a7e31645f69d870fa8063a780e8aa574d4e70652249a6d27191
SHA512

1e5f2d238a865094ccd6b22b458f3c2aae6b685e1a8510f442ba6d3a91d71b165624b438fdd72132b053d0ef93afed6136d4b43a6b1634c8113a6cf79f693bf7
SSDEEP

24576:3e04TvlV3TtEUuVtG+aItxpywP8o987KaG6:uNTvlV3otG+aIUi8tG6

Score

10^/10

stealc discovery stealer

Malware Config

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	e6ca63a0cf09a33dcef786430c6184c4.exe

Executes dropped EXE 1 IoCs

pid	Process
3172	U.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1716	tasklist.exe
3804	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SteveUsb	e6ca63a0cf09a33dcef786430c6184c4.exe
File opened for modification	C:\Windows\GymRemoved	e6ca63a0cf09a33dcef786430c6184c4.exe
File opened for modification	C:\Windows\ShirtMauritius	e6ca63a0cf09a33dcef786430c6184c4.exe
File opened for modification	C:\Windows\SlovakNebraska	e6ca63a0cf09a33dcef786430c6184c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6ca63a0cf09a33dcef786430c6184c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	U.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3172	U.com
3172	U.com
3172	U.com
3172	U.com
3172	U.com
3172	U.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	3804	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3172	U.com
3172	U.com
3172	U.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3172	U.com
3172	U.com
3172	U.com

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4632	4984	e6ca63a0cf09a33dcef786430c6184c4.exe	87
PID 4984 wrote to memory of 4632	4984	e6ca63a0cf09a33dcef786430c6184c4.exe	87
PID 4984 wrote to memory of 4632	4984	e6ca63a0cf09a33dcef786430c6184c4.exe	87
PID 4632 wrote to memory of 116	4632	cmd.exe	89
PID 4632 wrote to memory of 116	4632	cmd.exe	89
PID 4632 wrote to memory of 116	4632	cmd.exe	89
PID 4632 wrote to memory of 1716	4632	cmd.exe	90
PID 4632 wrote to memory of 1716	4632	cmd.exe	90
PID 4632 wrote to memory of 1716	4632	cmd.exe	90
PID 4632 wrote to memory of 5096	4632	cmd.exe	91
PID 4632 wrote to memory of 5096	4632	cmd.exe	91
PID 4632 wrote to memory of 5096	4632	cmd.exe	91
PID 4632 wrote to memory of 3804	4632	cmd.exe	93
PID 4632 wrote to memory of 3804	4632	cmd.exe	93
PID 4632 wrote to memory of 3804	4632	cmd.exe	93
PID 4632 wrote to memory of 5036	4632	cmd.exe	94
PID 4632 wrote to memory of 5036	4632	cmd.exe	94
PID 4632 wrote to memory of 5036	4632	cmd.exe	94
PID 4632 wrote to memory of 1060	4632	cmd.exe	95
PID 4632 wrote to memory of 1060	4632	cmd.exe	95
PID 4632 wrote to memory of 1060	4632	cmd.exe	95
PID 4632 wrote to memory of 2012	4632	cmd.exe	96
PID 4632 wrote to memory of 2012	4632	cmd.exe	96
PID 4632 wrote to memory of 2012	4632	cmd.exe	96
PID 4632 wrote to memory of 4272	4632	cmd.exe	97
PID 4632 wrote to memory of 4272	4632	cmd.exe	97
PID 4632 wrote to memory of 4272	4632	cmd.exe	97
PID 4632 wrote to memory of 2116	4632	cmd.exe	98
PID 4632 wrote to memory of 2116	4632	cmd.exe	98
PID 4632 wrote to memory of 2116	4632	cmd.exe	98
PID 4632 wrote to memory of 2708	4632	cmd.exe	99
PID 4632 wrote to memory of 2708	4632	cmd.exe	99
PID 4632 wrote to memory of 2708	4632	cmd.exe	99
PID 4632 wrote to memory of 3172	4632	cmd.exe	100
PID 4632 wrote to memory of 3172	4632	cmd.exe	100
PID 4632 wrote to memory of 3172	4632	cmd.exe	100
PID 4632 wrote to memory of 2928	4632	cmd.exe	101
PID 4632 wrote to memory of 2928	4632	cmd.exe	101
PID 4632 wrote to memory of 2928	4632	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\e6ca63a0cf09a33dcef786430c6184c4.exe
"C:\Users\Admin\AppData\Local\Temp\e6ca63a0cf09a33dcef786430c6184c4.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Buys.mp3 Buys.mp3.bat & Buys.mp3.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\expand.exe
    expand Buys.mp3 Buys.mp3.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:116
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5096
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 345160
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Wins.mp3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Hence" Instruction
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 345160\U.com + Experiencing + Potter + Presenting + Pioneer + Worldwide + Answering + Viewed + Calgary 345160\U.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Periods.mp3 + ..\Seminar.mp3 + ..\Utilize.mp3 + ..\Stem.mp3 + ..\Screenshots.mp3 + ..\Mentor.mp3 z
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\345160\U.com
    U.com z
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3172
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\345160\U.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\345160\z

Filesize
348KB

MD5
c0bb258524396804ea93f340856909a2

SHA1
27f3f59df4f34348cffc9893b6fc675d56b6eafa

SHA256
c9dda6f8dc5ad4eb31137d13c9c2c7b3725d7a19fdac53baf7328ff0dfda217d

SHA512
37ca23434e328c3d5679a2f4d459e8d2af1262c5abaf14db1b2709e887928f1e943493383a108d8b5db29b7d80ac523bb9b4e204155037a9799eda0ace02c621

Download Submit
C:\Users\Admin\AppData\Local\Temp\Answering

Filesize
134KB

MD5
8cbb50e6f3835bdeabb8391dd4546357

SHA1
1f65c558ea1ada18bc90db73da146ae7ab6cfd69

SHA256
11c341d9eab153254842318be1d87bfd9ce018e57779d485c9470a16e27e7931

SHA512
8e925bcacd44820014f253004e40bbc254b063078af0891e66b66514ea70fac79e77479f9706ea43687a9c385d2eecc97832cc50cdd071d9fc854d34b6578e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calgary

Filesize
47KB

MD5
da978e82b21d766c53a503d62e8004b3

SHA1
cd0af0d1450272324811d2db93e57e2e0a2664f2

SHA256
db741b2733fa63749963738b3f5a1ec4064fa35122554dd5c5712269a398ae57

SHA512
d1aad296b6e326855fadb9d27c893108268449bc754b9db088e0859e6b22e936ecca1e187c502faab85b40c9a73fff0812f17c32f9d65d8bafcfaecc62c996f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Experiencing

Filesize
127KB

MD5
d628a2162b8acb4dd7624d7263da250b

SHA1
a476eff09f1366887ce80ee1aba0faa7859ff51a

SHA256
2e1a4d4ea0266a791b14478dab848b8ed713589c2d773d27bdc93745d9812e6c

SHA512
d0f52d3b7bc2084bf350d8294307da600f18d5a389ae9bb7d430b5b014ffe140fb7f6ca9122e0166eb4c498c74bd11cde66233010b9c1a3af7b5a019115a52ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Instruction

Filesize
1KB

MD5
d14ed41d0367b5d855c423a3412a6852

SHA1
2b08a2d7e8892e647806f6dfd03ef437eb24f880

SHA256
62639c23b1102a1b3dfc6fe3e2b3d1b319eecdcc4b0376d45d7fdcc8ebe8d83e

SHA512
d1c23e9e21594e3dba49d01a1013d58b74c1b3aad4ed0be8f0c64143c96683f87e928b105bdd389b4f6a5d72d39cc4627e8206a9eb4bc5732591ec96033f1788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mentor.mp3

Filesize
4KB

MD5
3141efb5001e156e0519ec938d4d80b3

SHA1
f075222d64efde7bc74e2db94051a30b1d875412

SHA256
0ece99b5da4867d19e274ea3f4abe1eea6bd8aa0f1af99bae3376b37ed63e78f

SHA512
1c4359664a1b8798a70c744e97da26b298a03d95e43b6027be4a5bf4a1f88bae9f92e030d8988a3b468e7327113dbe79fda231a01bcc6a078faec04b794468e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Periods.mp3

Filesize
65KB

MD5
e7d41106dafd5bfde2a15d45373e3dc7

SHA1
dda4294886bddaca7d9f56bf7e395872ce4125a1

SHA256
50617e532cb1a7ab8bf6047c15c693d36b6106faf5ea3b23769b3196a4e1c837

SHA512
08d83e7c1e5746452641117b96fb1c0000894925f2f34c222ed89a3bc8aa1c80dd6ccfc056f892a10c87fdeeb02f46d7c4dd70c00d2b9a5be6f93a5ef0a5fda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pioneer

Filesize
94KB

MD5
7a1347efb537a6b1da27849805c55b9e

SHA1
9c90c7de81868d728feb7dcfdad6b6a8cc0bdd78

SHA256
9d635aa27635cb7673acd3dfb4ce51828d65c54327d4b9b74d9c1341d3657719

SHA512
3bb0a687d4b099bb24c46bb6be93b40d41e8eec3837e2eed2ee250ac5ce044d35a94986e97362fa134eddd7d314c18be5a1aade4483236a2f3e105dd3f06de9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Potter

Filesize
131KB

MD5
dbd587032050e341aa1dc99fb3d5791a

SHA1
37be8f8066c9888f630ef22ed2586d20a4cf14bf

SHA256
c42858dcc624fcfd0fc73ef0afa1fd311309c3482cfc76727e0621f6e3adc8ef

SHA512
ce94631778777875c12dcea4938ff89acbf5f21cc64bb7ea5ae72ac0c4377c06b4f3bd192e00ad9720736b3eece9b03ddf291fe39b8c2c9733d82b29e899ee5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Presenting

Filesize
127KB

MD5
8ddf4558ec0ba8fb0de9f862b85724d6

SHA1
60f0c21b527d3190d1aa181d846ae5a03bb1fbe7

SHA256
4b814bef2c7c998126d7494cb5b9f3dc51ccf742c3810815e06333ab2a2bafb9

SHA512
abfd9585d1fc7b7bc0f2601ce187465d6fee00174577425d09e3aa198fc702f4a6a8355a5869e2b77905cb06b2fb38f4b9437bc168fc08fb511e54e42f882890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Screenshots.mp3

Filesize
75KB

MD5
a8aa3ffd8462e3083b1f7f99750ab726

SHA1
e65fc8a695092d34a943b4ebbcfd9c2d2e45e661

SHA256
3fd2f4309a6bb48975c774a23ddb149b9bebc555f777bc6813fc7015fafe97e3

SHA512
c12213166a042e451a4e65032074bc45addf930ad91ee28f75fc65d049e1a041a8fffde9e0916f65c94767d2adbd257416bc0f24e14490b2b2b34cd8c3951ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seminar.mp3

Filesize
73KB

MD5
44088744c5da1027fae77b4e3b4893c7

SHA1
13eff7a20b72c15efad8ccd3120a0764a0dac285

SHA256
e0fa3de7dc4383e95304055d48ba8cae41c3b6de2bb7a25783eca72cd6190616

SHA512
be8f13daffccc884addbe94559231782fbd7beeff41a34160e9ada50ed8da222938e8417d7f092746e2c16be791cf9e3010a1b4e8f71ca7bf4493756369ac68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stem.mp3

Filesize
74KB

MD5
c9db0bf5c99cb6e4fb631124aea25afa

SHA1
32130b1931d635de7ae8b1b1cf0b7a62c7aa531c

SHA256
d87cccbe473c8107aa187417ff61415fe211d8a1c691c0dbfe101457121a3e9c

SHA512
33b9caf64fa86ab71685d7c3e3e3410ad8b24f91ec74145b4673d82d79af3045c11742acc9072acb8876b4bd46968c42caadf46100103d8482f4c5bf9061218f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utilize.mp3

Filesize
57KB

MD5
7de5bb2de8e6970abe1a3f09ae1e7e51

SHA1
c46a388a720b8cee06178b9f7d5afd977548c80a

SHA256
90c455f80a2f4335e2201f8b8a7959dbb728d3b88e9156e04e803bd5c272b588

SHA512
bf8fa2fcd0c7496acfc7870079ed2e08b82d65ad437b618858950fc014e40d7b2fb80d3efa66439172b9119562fcdc385cb4c5a0ca2c39d379703cc0b09c59cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewed

Filesize
117KB

MD5
28c47995b94677b3b7d1c2c0df232c79

SHA1
1e339b48d46c837bf7cf8e2f2b0f81d2d55c4baf

SHA256
35db6dd9aa1f1b0a91c6a4098a1bceb11722198b3d51d2981c3cb3b6ddbc5fcf

SHA512
8da091f1fdca1fe835deb1f87fc45ff095a30d965683e79e36f4d58a859120ce415172887153acc2cd80d2fb9fa2cea60a510711df80f2d8cdb49c16c0f634be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wins.mp3

Filesize
475KB

MD5
42b42ead05f92d12bce8d3de3124e08c

SHA1
ca0f93f5f87398a3691886125f13cdd66641122a

SHA256
ea2302db685e20ffe83208f96c3c1fe87cba6e34f6ac8da875cc275d5ab75167

SHA512
c8219203cfc76703433a0fecd9cfcdb244d3236a7893c3c946d821d63970ad1770c583dcaed951daf59753d828125fcbc6dc314eb3a86cd18ab85bcda118d6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldwide

Filesize
146KB

MD5
6842907ca155f0a76872f3c3cd56c2b0

SHA1
6c10176a0c6a2942270e6220bc9df65c6e1a7f98

SHA256
f73b1257c366a4837798e2592446ffd6c240709fa59a3f61379e6f2ab290ebe6

SHA512
ab024ae7c30e35b7ff36919c43748057eff34ee38815df6c229febd783099065dc5e87f80a26406dcd14c7f3dbfc302035066aab96cfe8d3a10154c40975eb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\buys.mp3

Filesize
15KB

MD5
64e0488415a5f90bf7ef637e309a0edd

SHA1
a4cec8094cb195369b59978c6faf797fc050120b

SHA256
c8a74cd90ea4645f4cf89acf692bdb84f856bd8e239b98328eb1d8f9d7534541

SHA512
1cf2a355a77642b35cdd86e26eac53de9e47273e3edd365f55fc04ba689410f30bce02bdc14f7d89e609eb7acefb381f4aa575d93244b3f768dd871cfba80542

Download Submit
memory/3172-63-0x0000000004310000-0x0000000004560000-memory.dmp

Filesize
2.3MB

Download
memory/3172-64-0x0000000004310000-0x0000000004560000-memory.dmp

Filesize
2.3MB

Download
memory/3172-66-0x0000000004310000-0x0000000004560000-memory.dmp

Filesize
2.3MB

Download
memory/3172-65-0x0000000004310000-0x0000000004560000-memory.dmp

Filesize
2.3MB

Download
memory/3172-62-0x0000000004310000-0x0000000004560000-memory.dmp

Filesize
2.3MB

Download