stealc

General

Target

osnova.ps1
Size

2KB
Sample

250227-rmnrwazqx8
MD5

5e68cbe68666c656fb39e21bfca5cea4
SHA1

837976c146b02d48ccd9c23d0edc4327533854c5
SHA256

4dcca5d3269eb44f3cf7af62c0da3b6acab67eb758c9fb2f5cc5b1d13a7286f7
SHA512

d5addc542ce04d4a4f90e313b70a8c04d41406e8a6983b6c489d24d316bfafb922cfec848efa87155634b5cda7485bde17c9ad5af2fccb22bc6dff409486ba3d

Score

10^/10

Malware Config

Extracted

Family

stealc

Botnet

Clizma

C2

http://104.245.240.18

Attributes

url_path
/d7f85cd3e24a4757.php

Targets

- Target
  
  osnova.ps1
- Size
  
  2KB
- MD5
  
  5e68cbe68666c656fb39e21bfca5cea4
- SHA1
  
  837976c146b02d48ccd9c23d0edc4327533854c5
- SHA256
  
  4dcca5d3269eb44f3cf7af62c0da3b6acab67eb758c9fb2f5cc5b1d13a7286f7
- SHA512
  
  d5addc542ce04d4a4f90e313b70a8c04d41406e8a6983b6c489d24d316bfafb922cfec848efa87155634b5cda7485bde17c9ad5af2fccb22bc6dff409486ba3d
Score

10^/10

discovery execution stealc clizma credential_access spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Blocklisted process makes network request
- Downloads MZ/PE file
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2