stealerium | 8b402bb02ec8211eb98b09beb60ea62db552c98ecc5919337dbace8af8bc0f57

Analysis

max time kernel
115s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Listado Facturas.exe
Size

7.9MB
MD5

e44441da8f8b45b56e6b46ab5ddf4736
SHA1

d8b09914d7e463e72ddc13206b86c3d90aa993c2
SHA256

10fb218b942d8e1e9e070b82f01ce72128a19e97158003b53686b4d7a03a8aa8
SHA512

84f5c7299e954d773ac2c65c3849dbf2bb4a4fefc395a8afc6cb30ee236d9d37d5cfb5caefdb7a906ea5a8a11884fb0c64483f2c454ac00232d79701676cfa20
SSDEEP

196608:8R1r9MalxTjLcUeLs8fk4kgQeo49tAQxVEkWxATVmVg5NsED5lO4:sria3TjYs8M4kPeo4fAHxsVSgw85

Score

10^/10

stealerium stealer

Malware Config

Extracted

Family

stealerium

https://api.telegram.org/bot7756107542:AAEhuCgRX-ckFVwps3xqgrtyb3JVRKo9Tog/sendMessage?chat_id=

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1464 created 3428	1464	Listado Facturas.exe	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Listado Facturas.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 5100	1464	Listado Facturas.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3084	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5316	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1464	Listado Facturas.exe
5100	Listado Facturas.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	Listado Facturas.exe
Token: SeDebugPrivilege	1464	Listado Facturas.exe
Token: SeDebugPrivilege	5100	Listado Facturas.exe
Token: SeDebugPrivilege	5316	taskkill.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 1464 wrote to memory of 5100	1464	Listado Facturas.exe	97
PID 5100 wrote to memory of 6128	5100	Listado Facturas.exe	98
PID 5100 wrote to memory of 6128	5100	Listado Facturas.exe	98
PID 6128 wrote to memory of 4976	6128	cmd.exe	100
PID 6128 wrote to memory of 4976	6128	cmd.exe	100
PID 6128 wrote to memory of 5316	6128	cmd.exe	101
PID 6128 wrote to memory of 5316	6128	cmd.exe	101
PID 6128 wrote to memory of 3084	6128	cmd.exe	102
PID 6128 wrote to memory of 3084	6128	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe
  "C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe
  "C:\Users\Admin\AppData\Local\Temp\Listado Facturas.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e69929f7-13ce-4e62-8ad0-831b468ace24.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6128
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5100
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5316
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e69929f7-13ce-4e62-8ad0-831b468ace24.bat

Filesize
152B

MD5
28e669b5b9a864bc2040223e9dccb74b

SHA1
546b5939be3e06edb023cb384ea96e7bcafbe90c

SHA256
75b3224955d8eef1fb1c1b6fbfd7f3b8345933e92a10444614d0953dfdd5b330

SHA512
a2360dd4c459a73900987f5f37c72203ff651a10307bdaff5bf652cc8718b450a46ee4b2e135135b525683aae28e20ed3650681bdcf7868bdd9c504d85239653

Download Submit
memory/1464-0-0x00007FF982133000-0x00007FF982135000-memory.dmp

Filesize
8KB

Download
memory/1464-1-0x000001A915020000-0x000001A91580A000-memory.dmp

Filesize
7.9MB

Download
memory/1464-2-0x000001A92FCA0000-0x000001A930474000-memory.dmp

Filesize
7.8MB

Download
memory/1464-3-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-4-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-5-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-8-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-9-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-15-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-17-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-21-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-27-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-31-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-47-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-53-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-55-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-67-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-65-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-63-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-61-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-59-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-57-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-51-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-49-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-45-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-43-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-41-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-39-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-37-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-35-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-29-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-25-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-23-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-33-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-19-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-13-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-11-0x000001A92FCA0000-0x000001A93046D000-memory.dmp

Filesize
7.8MB

Download
memory/1464-775-0x00007FF982133000-0x00007FF982135000-memory.dmp

Filesize
8KB

Download
memory/1464-854-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1342-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1343-0x000001A930570000-0x000001A930C9C000-memory.dmp

Filesize
7.2MB

Download
memory/1464-1344-0x000001A930CA0000-0x000001A9313C8000-memory.dmp

Filesize
7.2MB

Download
memory/1464-1345-0x000001A92FBF0000-0x000001A92FC3C000-memory.dmp

Filesize
304KB

Download
memory/1464-1346-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1347-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1348-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1349-0x000001A932480000-0x000001A9324D4000-memory.dmp

Filesize
336KB

Download
memory/1464-1356-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1353-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1464-1358-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1357-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/5100-1359-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1362-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

Filesize
10.8MB

Download