svcstealer | 9ccfdd44ee5fede8d813441081c37054[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

9ccfdd44ee5fede8d813441081c37054.exe
Size

1.2MB
MD5

9ccfdd44ee5fede8d813441081c37054
SHA1

645baedccb045294e5e00e8632316c8d0e349bdc
SHA256

da4d4bdb72382261383f2b08e86cb670a2ca99acef22c5866187371ec537ba91
SHA512

79f68ee36c42d4d68af62e42cf5c9b7d420c18d7bdca09fb7d40784cf3b95caed41798b47b04e783fdbdff169046ea1bca329ca876a97a663116f385b0271344
SSDEEP

24576:tHjTwpzGkqDZBI6JNwsqG5nDCsGf5Qa9u+aasbWgxU:RjTwpzGLq6JPDCsGh2r

Score

10^/10

svcstealer

Malware Config

Extracted

Family

svcstealer

Version

3.3

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Detects SvcStealer Payload 1 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
sample	family_svcstealer

Svcstealer family
svcstealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
9ccfdd44ee5fede8d813441081c37054.exe

Files

9ccfdd44ee5fede8d813441081c37054.exe
.exe windows:6 windows x64 arch:x64

6f6b32931912845ef52e20acf30dc775

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetProcAddress
LoadLibraryA
SetCurrentDirectoryW
Process32First
GetComputerNameW
K32GetModuleFileNameExW
OpenProcess
GetVersionExW
GetModuleFileNameW
GetLocalTime
Process32Next
GlobalMemoryStatusEx
K32EnumProcesses
GetSystemInfo
CreateToolhelp32Snapshot
ExitProcess
TerminateThread
IsDebuggerPresent
DeleteFileW
CreateThread
HeapAlloc
HeapFree
GetProcessHeap
FormatMessageA
SetLastError
OutputDebugStringA
LocalFree
HeapReAlloc
GetCurrentProcess
GetModuleHandleW
HeapDestroy
HeapCreate
GetCurrentThreadId
GetCurrentProcessId
GetFullPathNameW
GetFullPathNameA
CreateMutexW
HeapCompact
SetFilePointer
TryEnterCriticalSection
MapViewOfFile
UnmapViewOfFile
SetEndOfFile
SystemTimeToFileTime
QueryPerformanceCounter
WaitForSingleObject
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetSystemTimeAsFileTime
InitializeCriticalSection
WideCharToMultiByte
LoadLibraryW
FormatMessageW
GetFileAttributesA
LeaveCriticalSection
HeapValidate
GetFileAttributesW
GetTempPathW
HeapSize
LockFileEx
EnterCriticalSection
GetDiskFreeSpaceW
CreateFileMappingA
CreateFileMappingW
GetDiskFreeSpaceA
GetFileAttributesExW
DeleteCriticalSection
GetVersionExA
GetTempPathA
GetSystemTime
AreFileApisANSI
DeleteFileA
FindFirstFileW
CreateDirectoryW
CopyFileW
FindClose
FindNextFileW
GetWindowsDirectoryA
GetVolumeInformationA
TerminateProcess
CopyFileA
Process32FirstW
RemoveDirectoryW
Process32NextW
GetWindowsDirectoryW
GetVolumeInformationW
FindFirstFileA
FindNextFileA
WriteConsoleW
SetStdHandle
EnumSystemLocalesEx
IsValidLocaleName
LCMapStringEx
GetUserDefaultLocaleName
CompareStringEx
GetDateFormatEx
GetTimeFormatEx
lstrcatA
FreeLibrary
FlushFileBuffers
lstrcpyA
GetCurrentDirectoryW
Sleep
lstrlenA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount64
ReadConsoleW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetConsoleMode
GetConsoleCP
SetFilePointerEx
GetStartupInfoW
InitOnceExecuteOnce
GetFileType
GetStdHandle
GetTimeZoneInformation
GetOEMCP
GetACP
IsValidCodePage
GetModuleHandleExW
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
RtlLookupFunctionEntry
RaiseException
RtlPcToFileHeader
lstrcmpA
CloseHandle
GetLastError
CreateFileW
ReadFile
WriteFile
GetFileSize
MultiByteToWideChar
CreateFileA
GetCommandLineW
LoadLibraryExW
ExitThread
GetCPInfo
GetLocaleInfoEx
InitializeCriticalSectionEx
DecodePointer
EncodePointer
GetStringTypeW
SetEnvironmentVariableA

user32

GetSystemMetrics
GetDC
GetTopWindow
wsprintfA
GetWindow
GetWindowThreadProcessId
wsprintfW
GetWindowTextW

advapi32

GetUserNameW

shlwapi

PathStripPathA
StrCmpIW
PathFindExtensionW

shell32

SHGetFolderPathA
SHGetKnownFolderPath
ShellExecuteExW
ShellExecuteW
SHGetFolderPathW

ole32

CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoCreateInstance
CoSetProxyBlanket

oleaut32

SysAllocString
VariantClear
SysFreeString

bcrypt

BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptDecrypt
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

crypt32

CryptUnprotectData
CryptStringToBinaryA

gdi32

CreateCompatibleDC
SelectObject
DeleteObject
CreateCompatibleBitmap
BitBlt

gdiplus

GdipGetImageEncoders
GdiplusStartup
GdipSaveImageToFile
GdipCloneImage
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdiplusShutdown
GdipFree
GdipAlloc
GdipGetImageEncodersSize

msi

ord246
ord70

Sections

.text
Size: 951KB - Virtual size: 950KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

6f6b32931912845ef52e20acf30dc775

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shlwapi

shell32

ole32

oleaut32

bcrypt

crypt32

gdi32

gdiplus

msi

Sections

.text Size: 951KB - Virtual size: 950KB

.rdata Size: 179KB - Virtual size: 179KB

.data Size: 22KB - Virtual size: 34KB

.pdata Size: 45KB - Virtual size: 45KB

.rsrc Size: 1024B - Virtual size: 648B

.reloc Size: 12KB - Virtual size: 11KB

.text
Size: 951KB - Virtual size: 950KB

.rdata
Size: 179KB - Virtual size: 179KB

.data
Size: 22KB - Virtual size: 34KB

.pdata
Size: 45KB - Virtual size: 45KB

.rsrc
Size: 1024B - Virtual size: 648B

.reloc
Size: 12KB - Virtual size: 11KB