svcstealer | 06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907

General

Target

06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe
Size

3.6MB
MD5

deb1a85e75c8f9e45da43bb6acdaba0f
SHA1

c8ed700525263859e3c249a619e5043746c3c1ca
SHA256

06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907
SHA512

08b983b15563cb5bdad328fb1dc9d98bd4c67f8ad20001f41609f317dbc76b1bef0b00bfec0f5eaaa3b7da57465fa15d96a15ae5f07c962d637ce2953c15b2ab
SSDEEP

49152:Gj7p0URkU0wQxMYC7H0b4m5wV61FqaJm41+kpfLDE4D5TVa0IV71YtF1:Gh9H0W610a3pfsYGVp

Score

10^/10

svcstealer discovery downloader persistence spyware stealer

Malware Config

Extracted

Family

svcstealer

Version

3.0

C2

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Detects SvcStealer Payload 1 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral1/files/0x0007000000018780-19.dat	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Executes dropped EXE 3 IoCs

pid	Process
2120	syxssbxavpcp.exe
2708	sysxxcchceck.exe
3068	Launcher.exe

Loads dropped DLL 4 IoCs

pid	Process
2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe
2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe
2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe
2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\E2AF4C70EE242148772887\\E2AF4C70EE242148772887.exe"	syxssbxavpcp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2120	syxssbxavpcp.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe
2708	sysxxcchceck.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	Launcher.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3068	Launcher.exe
3068	Launcher.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2120	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	30
PID 2584 wrote to memory of 2120	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	30
PID 2584 wrote to memory of 2120	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	30
PID 2120 wrote to memory of 1208	2120	syxssbxavpcp.exe	21
PID 2584 wrote to memory of 2708	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	31
PID 2584 wrote to memory of 2708	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	31
PID 2584 wrote to memory of 2708	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	31
PID 2584 wrote to memory of 3068	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	32
PID 2584 wrote to memory of 3068	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	32
PID 2584 wrote to memory of 3068	2584	06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Users\Admin\AppData\Local\Temp\06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe
  "C:\Users\Admin\AppData\Local\Temp\06bef5b61ad007fb027300ed10a02ff9884a082570cde9434829093cfd3b4907.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\ProgramData\syxssbxavpcp.exe
    "C:\ProgramData\syxssbxavpcp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2120
- - C:\ProgramData\sysxxcchceck.exe
    "C:\ProgramData\sysxxcchceck.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

1

T1217

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Settings.ini

Filesize
221B

MD5
fa6e9c5688467ba75eaf2d20bc40b1d4

SHA1
67793351f16112fd18044f782f32a96da0ca3534

SHA256
9b4a33fa59dab9cc1cfbb900df3e874ecac7e0e60e53d4dd0f5e372a00248ae0

SHA512
af4d406da4bb9428c7cd3ce46876ba6224246a337cf35d5199c8291b3cf493e855d7ef72c80366d397cddd66573b982343179f11674259091335813e07931700

Download Submit
\ProgramData\sysxxcchceck.exe

Filesize
1.2MB

MD5
0fc48443cf43acf044b2e9e7d72fad9f

SHA1
f61c404b6244781462f44fccbd0635f18d9d9cc3

SHA256
a81645190d2aa1d9f3e65bdbebd7277981c943046be8ea03904bcfdd991a69ab

SHA512
796742f0fa89f94f8f4aa10854d45fd20898af17f565da9a5e6e165807b46ea0fd7145bfb6da08e23a6eebdd075b0eed3b5aa6262e3272495f67f73e1aef6189

Download Submit
\ProgramData\syxssbxavpcp.exe

Filesize
47KB

MD5
c137e1ba3d33f2bc7bc6d43fbfdd2d3e

SHA1
89cd689e744064be3f52733133124913b02d99b5

SHA256
bc14ad7ff3a54ced983bf4fd11f0c01858053bea93bc9c8a8ed5cf1ce3d413d6

SHA512
cca934a0cb4cf2be34c3c2e3007ed91b4220e4f57b0862d66294b4b87069c4b6dd40978eb1b4fa1631b4f8dc15528812b5657b69d432a7ab35e3b9a73fab54a1

Download Submit
\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
2.2MB

MD5
466d79575c8b54bfcab600356a80accf

SHA1
de7a53d4f7b111737d998d037afb3e390dfa3d5d

SHA256
58f202f03bb28c1c59533a00f5f94cbf43a933e40cf50cbfac83471d4f22cd00

SHA512
5a113d09e9e2b208b516f4556ea5f776fba0d72a3b5983ab93ab7503857def1e8808e9bd5ea5f77464e48338d6d1d66007278b51496e0f1cec9377fdfe886a9b

Download Submit
memory/1208-18-0x0000000002F00000-0x0000000002F17000-memory.dmp

Filesize
92KB

Download
memory/1208-12-0x0000000002F00000-0x0000000002F17000-memory.dmp

Filesize
92KB

Download
memory/1208-11-0x0000000002F00000-0x0000000002F17000-memory.dmp

Filesize
92KB

Download
memory/2120-16-0x000000013F4B0000-0x000000013F4C1000-memory.dmp

Filesize
68KB

Download
memory/2584-9-0x000000013F4B0000-0x000000013F4C1000-memory.dmp

Filesize
68KB

Download
memory/2584-4-0x000000013F4B0000-0x000000013F4C1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads