svcstealer | bfe4b4df28361cf5ef899f834fefed90d282995621018ac8215c04ca2cfe571f

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4klgwMz.exe
Size

615KB
MD5

19668940080169c70b830bed8c390783
SHA1

5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256

cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512

c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2
SSDEEP

12288:El+79KrrgMgm+w7diouERjgVCjqQeJKxZ+0EQrkyfazcdM+XUr1Mlohbn:Elc9KrrgMgm+sdhuEO0OFJ8Z+ZQ1fFqv

Score

10^/10

svcstealer downloader persistence stealer

Malware Config

Signatures

Detects SvcStealer Payload 4 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral1/memory/2156-0-0x000000013FAB0000-0x000000013FB4F000-memory.dmp	family_svcstealer
behavioral1/memory/1240-7-0x0000000004400000-0x00000000044A5000-memory.dmp	family_svcstealer
behavioral1/memory/2156-6-0x000000013FAB0000-0x000000013FB4F000-memory.dmp	family_svcstealer
behavioral1/memory/1240-2-0x0000000004400000-0x00000000044A5000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\eaddedeabcefaaac = "\"C:\\ProgramData\\eaddedeabcefaaac.exe\""	4klgwMz.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2156	4klgwMz.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1240	2156	4klgwMz.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\4klgwMz.exe
  "C:\Users\Admin\AppData\Local\Temp\4klgwMz.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-1-0x0000000004400000-0x00000000044A5000-memory.dmp

Filesize
660KB

Download
memory/1240-7-0x0000000004400000-0x00000000044A5000-memory.dmp

Filesize
660KB

Download
memory/1240-2-0x0000000004400000-0x00000000044A5000-memory.dmp

Filesize
660KB

Download
memory/2156-0-0x000000013FAB0000-0x000000013FB4F000-memory.dmp

Filesize
636KB

Download
memory/2156-6-0x000000013FAB0000-0x000000013FB4F000-memory.dmp

Filesize
636KB

Download