svcstealer | 1a5da09e281f4a2acadf791cbad426351a769d2b8057005b1415e74a7ddfb0af[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

1a5da09e281f4a2acadf791cbad426351a769d2b8057005b1415e74a7ddfb0af.exe
Size

1.2MB
MD5

c29f43cd9249c6c87a0dcdf849c0e2da
SHA1

d113978fd12af6a699ab741e444f028c17c1dc62
SHA256

1a5da09e281f4a2acadf791cbad426351a769d2b8057005b1415e74a7ddfb0af
SHA512

b7ea948e81fe65b425b1c115acfd6d2c49b4a0084e62f62ddce38949dc140f94156535405ba4c263413c6103a530d6a1fd784acca35f52c1d63795ffe0093800
SSDEEP

24576:LtOtoXxa+VQlUxX0YulFoPcIZE+r1ipfms:BOtoxKlU8FoP8

Score

10^/10

svcstealer

Malware Config

Extracted

Family

svcstealer

Version

3.1

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Detects SvcStealer Payload 1 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
sample	family_svcstealer

Svcstealer family
svcstealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1a5da09e281f4a2acadf791cbad426351a769d2b8057005b1415e74a7ddfb0af.exe

Files

1a5da09e281f4a2acadf791cbad426351a769d2b8057005b1415e74a7ddfb0af.exe
.exe windows:6 windows x64 arch:x64

4b08efbed763524964334e9746c7ffd2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryA
SetCurrentDirectoryW
Process32First
GetComputerNameW
K32GetModuleFileNameExW
OpenProcess
GetVersionExW
GetModuleFileNameW
GetLocalTime
Process32Next
GlobalMemoryStatusEx
K32EnumProcesses
GetSystemInfo
CreateToolhelp32Snapshot
ExitProcess
TerminateThread
DeleteFileW
CreateThread
HeapAlloc
HeapFree
GetProcessHeap
FormatMessageA
SetLastError
OutputDebugStringA
LocalFree
HeapReAlloc
GetCurrentProcess
GetModuleHandleW
HeapDestroy
HeapCreate
GetCurrentThreadId
GetCurrentProcessId
GetFullPathNameW
GetFullPathNameA
CreateMutexW
HeapCompact
SetFilePointer
TryEnterCriticalSection
MapViewOfFile
UnmapViewOfFile
SetEndOfFile
SystemTimeToFileTime
QueryPerformanceCounter
WaitForSingleObject
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetSystemTimeAsFileTime
InitializeCriticalSection
WideCharToMultiByte
LoadLibraryW
FormatMessageW
GetFileAttributesA
LeaveCriticalSection
HeapValidate
GetFileAttributesW
MultiByteToWideChar
GetProcAddress
GetTempPathW
HeapSize
LockFileEx
EnterCriticalSection
GetDiskFreeSpaceW
CreateFileMappingA
CreateFileMappingW
GetDiskFreeSpaceA
GetFileAttributesExW
DeleteCriticalSection
GetVersionExA
GetTempPathA
GetSystemTime
AreFileApisANSI
DeleteFileA
FindFirstFileW
CreateDirectoryW
CopyFileW
FindClose
FindNextFileW
GetWindowsDirectoryA
GetVolumeInformationA
TerminateProcess
CopyFileA
Process32FirstW
RemoveDirectoryW
Process32NextW
GetWindowsDirectoryW
GetVolumeInformationW
FindFirstFileA
FindNextFileA
WriteConsoleW
SetStdHandle
EnumSystemLocalesEx
IsValidLocaleName
LCMapStringEx
GetUserDefaultLocaleName
CompareStringEx
lstrcatA
FreeLibrary
lstrcpyA
GetCurrentDirectoryW
Sleep
lstrlenA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount64
ReadConsoleW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetTimeZoneInformation
GetOEMCP
GetACP
IsValidCodePage
GetConsoleMode
GetConsoleCP
SetFilePointerEx
GetStartupInfoW
InitOnceExecuteOnce
GetFileType
GetStdHandle
GetModuleHandleExW
IsDebuggerPresent
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
RtlLookupFunctionEntry
lstrcmpA
CloseHandle
GetLastError
CreateFileW
ReadFile
WriteFile
GetFileSize
FlushFileBuffers
CreateFileA
RaiseException
RtlPcToFileHeader
GetCommandLineW
LoadLibraryExW
ExitThread
GetCPInfo
GetLocaleInfoEx
InitializeCriticalSectionEx
DecodePointer
EncodePointer
GetStringTypeW
SetEnvironmentVariableA

user32

wsprintfW
GetDC
GetWindow
GetWindowTextW
GetSystemMetrics
GetWindowThreadProcessId
GetTopWindow
wsprintfA

advapi32

GetUserNameW

shlwapi

PathStripPathA
PathFindExtensionW
StrCmpIW

shell32

SHGetKnownFolderPath
ShellExecuteW
SHGetFolderPathW
SHGetFolderPathA

ole32

CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoCreateInstance

oleaut32

SysAllocString
VariantClear
SysFreeString

bcrypt

BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptDecrypt
BCryptCloseAlgorithmProvider
BCryptGenerateSymmetricKey

crypt32

CryptUnprotectData
CryptStringToBinaryA

gdi32

CreateCompatibleDC
SelectObject
DeleteObject
CreateCompatibleBitmap
BitBlt

gdiplus

GdipSaveImageToFile
GdipGetImageEncoders
GdipCloneImage
GdipDisposeImage
GdipGetImageEncodersSize
GdiplusStartup
GdipFree
GdipAlloc
GdipCreateBitmapFromHBITMAP
GdiplusShutdown

msi

ord70
ord246

Sections

.text
Size: 933KB - Virtual size: 933KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 175KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

4b08efbed763524964334e9746c7ffd2

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

shell32

ole32

oleaut32

bcrypt

crypt32

gdi32

gdiplus

msi

Sections

.text Size: 933KB - Virtual size: 933KB

.rdata Size: 175KB - Virtual size: 174KB

.data Size: 21KB - Virtual size: 33KB

.pdata Size: 45KB - Virtual size: 44KB

.rsrc Size: 1024B - Virtual size: 648B

.reloc Size: 12KB - Virtual size: 11KB

.text
Size: 933KB - Virtual size: 933KB

.rdata
Size: 175KB - Virtual size: 174KB

.data
Size: 21KB - Virtual size: 33KB

.pdata
Size: 45KB - Virtual size: 44KB

.rsrc
Size: 1024B - Virtual size: 648B

.reloc
Size: 12KB - Virtual size: 11KB