stealc | cecc051a6568f2e60daa72a70d81b69c0e929f11503f28904b3204ecd38a7111

Resubmissions

20/04/2025, 09:15

250420-k8b7mstlz9 10

20/04/2025, 09:09

250420-k4v4ystlt6 4

Analysis

max time kernel
2s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

44KB
MD5

f86507ff0856923a8686d869bbd0aa55
SHA1

d561b9cdbba69fdafb08af428033c4aa506802f8
SHA256

94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb
SHA512

6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da
SSDEEP

384:RozxIpl4504JaAystntGecMJ6gjpS1BO2NjrLVXjW9VBhKigecicWwnWzYDTFu:Rg04PGeZQG2NDVXjWLu1imL

Score

10^/10

stealc default discovery execution stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice/NLOCK/

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice/NLOCK/

Extracted

Family

stealc

Botnet

default

hdkxbax.click

Attributes

url_path
/98e3554588153cc4.php

rc4.plain

Signatures

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe
5440	powershell.exe
3284	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5336	timeout.exe
3700	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
64	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3148	7za.exe
Token: 35	3148	7za.exe
Token: SeSecurityPrivilege	3148	7za.exe
Token: SeSecurityPrivilege	3148	7za.exe
Token: SeDebugPrivilege	64	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5592 wrote to memory of 5588	5592	Setup.exe	87
PID 5592 wrote to memory of 5588	5592	Setup.exe	87
PID 5588 wrote to memory of 3148	5588	cmd.exe	89
PID 5588 wrote to memory of 3148	5588	cmd.exe	89
PID 5588 wrote to memory of 3148	5588	cmd.exe	89
PID 5588 wrote to memory of 5336	5588	cmd.exe	90
PID 5588 wrote to memory of 5336	5588	cmd.exe	90
PID 5588 wrote to memory of 3596	5588	cmd.exe	95
PID 5588 wrote to memory of 3596	5588	cmd.exe	95
PID 5588 wrote to memory of 3700	5588	cmd.exe	96
PID 5588 wrote to memory of 3700	5588	cmd.exe	96
PID 3596 wrote to memory of 2476	3596	cmd.exe	98
PID 3596 wrote to memory of 2476	3596	cmd.exe	98
PID 2476 wrote to memory of 5320	2476	net.exe	99
PID 2476 wrote to memory of 5320	2476	net.exe	99
PID 3596 wrote to memory of 64	3596	cmd.exe	100
PID 3596 wrote to memory of 64	3596	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\fxf.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5588
- - C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\7za.exe
    7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_15749
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "extracted_15749\sss.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:5320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\extracted_15749\script.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5440
      - C:\Users\Admin\AppData\Roaming\KFXTE9OQ.exe
        
        "C:\Users\Admin\AppData\Roaming\KFXTE9OQ.exe"
        6⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\KFXTE9OQ.exe
        
        "C:\Users\Admin\AppData\Roaming\KFXTE9OQ.exe"
        7⤵
        
        PID:4360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        8⤵
        
        PID:4940
      - C:\Users\Admin\AppData\Roaming\G2AU0WOC.exe
        
        "C:\Users\Admin\AppData\Roaming\G2AU0WOC.exe"
        6⤵
        
        PID:4208
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3700

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f75d2b07fa4c4bc6eb33d2a9623031f9

SHA1
c03dcbe8052cde5e9ff71e8489dfebb443b5724f

SHA256
76466e1b0d264d540baa862ec3340b3602970964fe37952c6bea91a3f164a2ea

SHA512
59eb61e8baaa90a8829fa96e8e672ebe2e8ee31b7449bdf5876b70af7dd093aeebcc3de99630bd60d14a15d44d5c6f2d30c347bb1d9bf993b975fbcc10660543

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rkhybkpe.4ea.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\extracted_15749\script.ps1

Filesize
3KB

MD5
0f5965b0cc2105d45772a98dcabbd57a

SHA1
e0c949e0169a980ad7ee420f1e4bebaa1c0b7d62

SHA256
ef97a67ffa78619ee90dce12142ab7a15a78842b84c8f72c19ad102e251e500a

SHA512
9abc32597fec8de69d387144ba6dc74b3a7424643d70f7f93a67e1ea10a52afc1f74d61d2154daee022199fc15e40162954b0dce30607a0bd3824d6df4c93d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\extracted_15749\sss.bat

Filesize
405B

MD5
9ca3883fd45a5a455e64704ac6151ac9

SHA1
e7f89032ce544253a51020d7e894f6919fc35839

SHA256
c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

SHA512
e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\openssl\fs\dgs\fxf\fxf.bat

Filesize
834B

MD5
a151668149df9dd4cb956a63f435076c

SHA1
7b14f4d96e027d04543679c7eb8d18a0b66c3760

SHA256
ee5a2a171524e81b2db5329dc474ffcc450da0a5f19150a71ecc22bdfafa6841

SHA512
27cc605cbc7d1a9db41d8398a025de5bdb72954c2d9bae978a9c0ec8895625847effbb0cdd6e83a74077e120f144bf5ada8b39b0f8a10b2282ebeed9c6e84c8a

Download Submit
C:\Users\Admin\AppData\Roaming\G2AU0WOC.exe

Filesize
2.3MB

MD5
0457b1a9663e6cdcdb286802d3931e9b

SHA1
0dbde8aa29f4cdfc8166f7972d53da735cff5204

SHA256
991739415b8e51919fd89ce0908d0ae8621016ab949ebef346497e4a3a7ce65a

SHA512
32508d142bbc24b278b4b2c2aba30af2550a55595ee9dec65403447d7c2c600a22c77a49ebf6afa81fa1aa72cbdc4a1ae2df798f80cc6bce698732dfa0fcc0ce

Download Submit
C:\Users\Admin\AppData\Roaming\G2AU0WOC.exe

Filesize
2.1MB

MD5
93687b6e2d04d099e3a993e6ba24f24e

SHA1
9541758e5e8f9ad5aa3876763bb565f612131485

SHA256
07962d0d89bce3da17d49e91f6a4172a780363771a2e40b80c596c9204c4c094

SHA512
717fe9838542d6cebf98e3c01ec00f9023c0e605699c92e59361faabd1084f8dcd07b3cb0ae023329d3e4c49025e3647923e2400822ca6e0fc01302b5c9f195a

Download Submit
C:\Users\Admin\AppData\Roaming\G2AU0WOC.exe

Filesize
2.2MB

MD5
426ed7277d82824cf83a780f9f429650

SHA1
6732b44fc0783ba8c5d8fcdb55581a7b684523ff

SHA256
9c5a6a88c6c78074fc847e1ffcf6d96a83871e165b938ffff5c5771b7a4b85b1

SHA512
e52f5f4e7864a73fd745234f1a46a510b79d06c62419996468b49afb1c0ff59e15815f606aced41a9ac786c7fe230851e49915a31a37145b1aa4a7fc508f78be

Download Submit
C:\Users\Admin\AppData\Roaming\KFXTE9OQ.exe

Filesize
1.7MB

MD5
4843ac2d3c0e53f8f361db55c75c3ccd

SHA1
956b27ce3b86107156fe6999357a8cd390270959

SHA256
332ca78e0423c59a8c45cea8f7ea80392ff1d5a4fbe0d3107096a3d05fba1940

SHA512
0768786cde00b97ddb161c1b7f4cedc45f61aa9c13fe7556be939f8efe857eb38a2de689db569582dec83223ea6d43c3415c78145a3d78815dd62ab828379e47

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7ea7df4c6b4ee4aac7ec400ae4893b47

SHA1
1915658078059591a093009af068eac799423214

SHA256
3466d78ae77a8be00868756d357128752c6c2559ad5de1cfc1c39778156df3db

SHA512
aaaf8056ea9144021db2416817e46220dab35bc844c6c8a269518db8697624e38212310596526c260a2066e3f2e26fbc0294e49919ce0cfad2ce18941fdbce69

Download Submit
memory/64-36-0x000002C621800000-0x000002C621976000-memory.dmp

Filesize
1.5MB

Download
memory/64-8-0x00007FFB98AF3000-0x00007FFB98AF5000-memory.dmp

Filesize
8KB

Download
memory/64-21-0x00007FFB98AF0000-0x00007FFB995B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-37-0x000002C621B90000-0x000002C621D9A000-memory.dmp

Filesize
2.0MB

Download
memory/64-94-0x00007FFB98AF0000-0x00007FFB995B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-20-0x00007FFB98AF0000-0x00007FFB995B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-18-0x000002C61F2C0000-0x000002C61F2E2000-memory.dmp

Filesize
136KB

Download
memory/64-33-0x00007FFB98AF0000-0x00007FFB995B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-23-0x00007FFB98AF0000-0x00007FFB995B1000-memory.dmp

Filesize
10.8MB

Download
memory/64-22-0x00007FFB98AF3000-0x00007FFB98AF5000-memory.dmp

Filesize
8KB

Download
memory/3444-93-0x00007FF64AB60000-0x00007FF64BE3E000-memory.dmp

Filesize
18.9MB

Download
memory/4208-86-0x00007FFBB7930000-0x00007FFBB7932000-memory.dmp

Filesize
8KB

Download
memory/4208-87-0x00007FF64AB60000-0x00007FF64BE3D000-memory.dmp

Filesize
18.9MB

Download
memory/4360-61-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/4360-63-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download