svcstealer | 401c472ad7425e95b53f52be849016afdd467a4728ac8796ff1a932731b1d3ce | Triage

Sharing

General

Target

SecuriteInfo.com.FileRepMalware.24556.13413.exe
Size

1.3MB
Sample

250401-jmmktayk12
MD5

7649c0971252ffe91d89be9c5e975116
SHA1

fec1eea05dc92f5cab9ccf4f10e9fd3dcaf9d79d
SHA256

401c472ad7425e95b53f52be849016afdd467a4728ac8796ff1a932731b1d3ce
SHA512

fb0697c7857eeb655b3aa5d88f18d22b4ce132f1dbdb767701851776adadd0aa30d597c297ef6556e0f273d66b65ca03194f468915b0f67c32ee890ad4966255
SSDEEP

24576:3Xu/KM5dja19/WFrsujlEVEv1Ob9aitFP3mHStKJIZMu3z/FieOO6aVP/nUrIOze:H66S6VvD3zfRi7831g1KkR

Score

10^/10

svcstealer discovery downloader persistence pyinstaller spyware stealer

Malware Config

Extracted

Family

svcstealer

Version

3.2

C2

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Targets

- Target
  
  SecuriteInfo.com.FileRepMalware.24556.13413.exe
- Size
  
  1.3MB
- MD5
  
  7649c0971252ffe91d89be9c5e975116
- SHA1
  
  fec1eea05dc92f5cab9ccf4f10e9fd3dcaf9d79d
- SHA256
  
  401c472ad7425e95b53f52be849016afdd467a4728ac8796ff1a932731b1d3ce
- SHA512
  
  fb0697c7857eeb655b3aa5d88f18d22b4ce132f1dbdb767701851776adadd0aa30d597c297ef6556e0f273d66b65ca03194f468915b0f67c32ee890ad4966255
- SSDEEP
  
  24576:3Xu/KM5dja19/WFrsujlEVEv1Ob9aitFP3mHStKJIZMu3z/FieOO6aVP/nUrIOze:H66S6VvD3zfRi7831g1KkR
Score

10^/10

svcstealer discovery downloader persistence pyinstaller spyware stealer
- Detects SvcStealer Payload
  SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
- SvcStealer, Diamotrix
  SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
  stealer downloader svcstealer
- Svcstealer family
  svcstealer
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

svcstealerdiscoverydownloaderpersistencepyinstallerspywarestealer