svcstealer | f126cbaecfd33f8026cf15a223857503f147b947dccb7a5da727ea19a4a5963b

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flasher.exe
Size

573KB
MD5

eff931961e9134a9945fadd29df90ff7
SHA1

cc27b1d909b14a01a88d27545007703aa9c82d36
SHA256

f126cbaecfd33f8026cf15a223857503f147b947dccb7a5da727ea19a4a5963b
SHA512

5a5bdd3458b64ff434598dd09c98d2ef31945288560d2995ec6200ed0894a71e2522d5ffbdb23f9fcd59159bb811983b0c2862b688cff5fc7fbb50e9a113f290
SSDEEP

12288:ntuH9xWLgvHIh+bOH1JcyDXFJgazKHWs88/vNKI8e:nto9xWLgvHI+OHPcy7T7zBs88/vgZe

Score

10^/10

svcstealer downloader persistence stealer

Malware Config

Signatures

Detects SvcStealer Payload 4 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral1/memory/2308-0-0x000000013FAD0000-0x000000013FB65000-memory.dmp	family_svcstealer
behavioral1/memory/1272-2-0x00000000050B0000-0x000000000514B000-memory.dmp	family_svcstealer
behavioral1/memory/2308-7-0x000000013FAD0000-0x000000013FB65000-memory.dmp	family_svcstealer
behavioral1/memory/1272-6-0x00000000050B0000-0x000000000514B000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afcfaabac = "\"C:\\ProgramData\\afcfaabac.exe\""	Flasher.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2308	Flasher.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1272	2308	Flasher.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1272
- C:\Users\Admin\AppData\Local\Temp\Flasher.exe
  "C:\Users\Admin\AppData\Local\Temp\Flasher.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-1-0x00000000050B0000-0x000000000514B000-memory.dmp

Filesize
620KB

Download
memory/1272-2-0x00000000050B0000-0x000000000514B000-memory.dmp

Filesize
620KB

Download
memory/1272-6-0x00000000050B0000-0x000000000514B000-memory.dmp

Filesize
620KB

Download
memory/2308-0-0x000000013FAD0000-0x000000013FB65000-memory.dmp

Filesize
596KB

Download
memory/2308-7-0x000000013FAD0000-0x000000013FB65000-memory.dmp

Filesize
596KB

Download