stealc | ee84149d1ff1c1b15010bee9f3035252bb549a81ff966254dd6e96805e7d0c64

Resubmissions

20/02/2025, 20:08

250220-ywtstatqak 10

Analysis

max time kernel
1s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2025, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe
Size

1.7MB
MD5

e9c19d8c108d7e25268e669c895bd6b1
SHA1

07111dcbe6414f7078df86132cd0b3653d79ccf8
SHA256

ee37e7ff9364d35eb4184a808870bfcd89f2df7a14d77399d62891a711786f78
SHA512

acb70f9288d7a17f358977f4b1bb1629b018d98553e9ff5d9502f09eee70466146896970bbe4ebaf1ec282c8dd1c7602e14badaf64d3abe0ed2cc7a4f22e0c82
SSDEEP

12288:+lpUimgGl8F/lVfVbcpJLryPKngpEf/zoizswIUKA29+2khHBxnh7MIgAHVSRUdX:SMl8XVZcp5eSxzVzOa29dMHLhvHQRW

Score

10^/10

stealc 7930926186 discovery stealer

Malware Config

Extracted

Family

stealc

Botnet

7930926186

http://178.63.148.7

Attributes

url_path
/875489374a8fad8f.php

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Loads dropped DLL 1 IoCs

pid	Process
4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83
PID 4856 wrote to memory of 4628	4856	Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe	83

C:\Users\Admin\AppData\Local\Temp\Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft with the Conquest Reforged mod pack + Bliss Shaders.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
481KB

MD5
da4c71f8f61573416e2a8108b3f959e6

SHA1
5009c3f25ea3fbbefaaa9417483541e2aa448f49

SHA256
33e66aaed50889bf3780b3a49cdb237b0119d44af3f361a312436676307aa338

SHA512
6f9411d48114a64fd298c4673ca5722a7f87e74e5e95ac380bf176f6238ae89c6a77686925e060ddaf641645332be160822d0d2ec29593243a8935e6679fc231

Download Submit
memory/4628-19-0x0000000000C00000-0x0000000000E61000-memory.dmp

Filesize
2.4MB

Download
memory/4628-21-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download
memory/4628-17-0x0000000000C00000-0x0000000000E61000-memory.dmp

Filesize
2.4MB

Download
memory/4628-15-0x0000000000C00000-0x0000000000E61000-memory.dmp

Filesize
2.4MB

Download
memory/4628-22-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download
memory/4856-5-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download
memory/4856-1-0x0000000077500000-0x0000000077566000-memory.dmp

Filesize
408KB

Download
memory/4856-12-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download
memory/4856-13-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download
memory/4856-20-0x00000000774F0000-0x00000000775E0000-memory.dmp

Filesize
960KB

Download