Overview

overview

10

Static

static

3

FACTURAS.exe

windows7-x64

1

FACTURAS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    22032025_0113_21032025_FACTURAS.gz

  • Size

    36KB

  • Sample

    250322-btrjcavwaw

  • MD5

    5a2d5fae2b06901cd2ec9eba2ca8049b

  • SHA1

    65282682156719275be3254fc7170fdb8916e024

  • SHA256

    a122f35e32fc7dfc16f5228e7accf3fb16f009e0ae023979b1946c3c08cf0380

  • SHA512

    6c8c5ab39b7d5e5f87f5163b3b78a97eb8888decf12cd457534984354385d68ef7c68b8b999971749f66093c7a09749c2cdc692afe5eabb015a4b12f118f4c51

  • SSDEEP

    768:g2CkbRCuKGJkQrww8+V8XbctZOA4yvhyNnw9CIxooxU4GitJLVkg:g2CvudZrwF+VactoDShyG9JbltAg

Score
10/10
stealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7756107542:AAEhuCgRX-ckFVwps3xqgrtyb3JVRKo9Tog/sendMessage?chat_id=

Targets

    • Target

      FACTURAS.exe

    • Size

      95KB

    • MD5

      e945c5efd46a03fec5ab5c1d77b64e23

    • SHA1

      c9b3edb25d29613fc859d0c6d24bea02f3031c3b

    • SHA256

      5d2dd8452a0048b9d23499187fafc6e2cfd25efb72eee7f92657352e954bc160

    • SHA512

      56724b9a9271fc87e57b0b042c4d6d5935ca604e24f10e06183a3612590aa15bdbf1bf1f020eeae45b10c611d591acd42d80c0dd3f923df93ba8615d5b314fbf

    • SSDEEP

      1536:DGAIyl4VuPPlAlqFuJp2JxhVtPd9YebC+AARivhbv:aAI8QAFfPwVdhbv

    Score
    10/10
    stealeriumcollectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Stealerium family

      stealerium

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Modify Authentication Process

1
T1556

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Authentication Process

1
T1556

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.