Malware analysis 20352dbd9ccbf5f92c6670ce2466942e.exe Malicious activity

Add for printing

File name:	20352dbd9ccbf5f92c6670ce2466942e.exe
Full analysis:	https://app.any.run/tasks/cc27f139-761d-43c6-b0db-cd0ea934683b
Verdict:	Malicious activity
Threats:	Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 02, 2023, 16:56:24
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	stealc stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	20352DBD9CCBF5F92C6670CE2466942E
SHA1:	CD1E7635020841478C59F976260F5D7516CB709F
SHA256:	1E19E42B22CEBBF20EBA654F4FF460D06A903775730416106B8DBD35B41C3C81
SSDEEP:	6144:UZRn/f5EkZUkDc3rLA0iSLQzgjjMUpfb58iEdfcOXjX6fFXI+rQrc4q:oDEWUkDc33AVSLQzi48DGivXLKc4q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- STEALC has been detected (YARA)
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- STEALC has been detected (SURICATA)
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- Connects to the CnC server
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
SUSPICIOUS
- Reads the Internet Settings
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- Connects to the server without a host name
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
INFO
- Checks proxy server information
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- Reads the machine GUID from the registry
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- Reads the computer name
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)
- Checks supported languages
  - 20352dbd9ccbf5f92c6670ce2466942e.exe (PID: 2128)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Stealc

(PID) Process(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe

C2http://77.91.76.36/3886d2276f6914c4.php

Keys

RC47823385150158962326987040273

Strings (346)" & del "C:\ProgramData\*.dll"" & exit

%08lX%04lX%lu

%APPDATA%

%DESKTOP%

%DOCUMENTS%

%LOCALAPPDATA%

%PROGRAMFILES%

%PROGRAMFILES_86%

%RECENT%

%USERPROFILE%

%d/%d/%d %d:%d:%d

%hu/%hu/%hu

*.ini

*.lnk

*.tox

- Architecture:

- CPU:

- Computer Name:

- Cores:

- Country: ISO?

- Display Resolution:

- GPU:

- HWID:

- IP: IP?

- Keyboards:

- Language:

- Laptop:

- Local Time:

- OS:

- RAM:

- Running Path:

- Threads:

- UTC:

- UserName:

.exe

.txt

/3886d2276f6914c4.php

/c start

/c timeout /t 5 & del /f /q "

/f059ec3d7eb90876/

00000001

00000002

00000003

00000004

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

All Users:

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptDestroyKey

BCryptGenerateSymmetricKey

BCryptOpenAlgorithmProvider

BCryptSetProperty

BitBlt

C:\ProgramData\

C:\ProgramData\nss3.dll

C:\Windows\system32\cmd.exe

CURRENT

CharToOemW

CloseHandle

CloseWindow

CoCreateInstance

CoInitialize

CoUninitialize

Content-Disposition: form-data; name="

Content-Type: multipart/form-data; boundary=----

CopyFileA

CreateCompatibleBitmap

CreateCompatibleD

CreateDCA

CreateEventA

CreateFileA

CreateStreamOnHGlobal

CreateToolhelp32Snapshot

CryptBinaryToStringA

CryptStringToBinaryA

CryptUnprotectData

Current User:

D877F783D5D3EF8C*

DISPLAY

DeleteFileA

DeleteObject

DialogConfig.vdf

DialogConfigOverlay*.vdf

DisplayName

DisplayVersion

EnumDisplayDevicesA

ExitProcess

F8806DD0C461824F*

FALSE

FindClose

FindFirstFileA

FindNextFileA

FreeLibrary

GdipCreateBitmaFromHBITMAP

GdipDisposeImage

GdipFree

GdipGetImageEncoders

GdipGetImageEncodersSize

GdipSaveImageToStream

GdiplusShutdown

GdiplusStartup

GetComputerNameA

GetCurrentProcess

GetCurrentProcessId

GetDC

GetDesktopWindow

GetDeviceCaps

GetEnvironmentVariableA

GetFileAttributesA

GetFileSize

GetFileSizeEx

GetHGlobalFromStream

GetKeyboardLayoutList

GetLastError

GetLocalTime

GetLocaleInfoA

GetLogicalProcessorInformationEx

GetModuleFileNameA

GetModuleFileNameExA

GetProcAddress

GetProcessHeap

GetSystemInfo

GetSystemPowerStatus

GetSystemTime

GetTimeZoneInformation

GetUserDefaultLangID

GetUserDefaultLocaleName

GetUserNameA

GetVolumeInformationA

GetWindowRect

GetWindowsDirectoryA

GlobalAlloc

GlobalFree

GlobalLock

GlobalMemoryStatusEx

GlobalSize

HAL9TH

HARDWARE\DESCRIPTION\System\CentralProcessor\0

HTTP/1.1

HeapAlloc

HeapFree

History

HttpOpenRequestA

HttpSendRequestA

IndexedDB

Installed Apps:

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetOpenA

InternetOpenUrlA

InternetReadFile

IsWow64Process

JohnDoe

LoadLibraryA

Local Extension Settings

Local State

LocalAlloc

LocalFree

MultiByteToWideChar

NSS_Init

NSS_Shutdown

Network

Network Info:

OpenEventA

OpenProcess

Opera

Opera GX Stable

Opera Stable

OperaGX

PATH

PK11SDR_Decrypt

PK11_Authenticate

PK11_FreeSlot

PK11_GetInternalKeySlot

POST

Password

PathMatchSpecA

Pidgin

Process List:

Process32First

Process32Next

ProcessorNameString

ProductName

ReadFile

RegCloseKey

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryValueExA

ReleaseDC

RmEndSession

RmGetList

RmRegisterResources

RmStartSession

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

SELECT fieldname, value FROM moz_formhistory

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT name, value ROM autofill

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

SELECT origin_url, username_value, password_value FROM logins

SELECT url FROM moz_places LIMIT 1000

SELECT url FROM urls LIMIT 1000

SHGetFolderPathA

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SelectObject

SetEnvironmentVariableA

SetFilePointer

ShellExecuteExA

Sleep

Software\Microsoft\Office\13.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\15.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\16.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Valve\Steam

SteamPath

StrCmpCA

StrCmpCW

StrStrA

Sync Extension Settings

System Summary:

SystemTimeToFileTime

TJwB~1{(

TRUE

TerminateProcess

User Agents:

VMwareVMware

VirtualAlloc

VirtualAllocExNuma

VirtualFree

VirtualProtect

Web Data

WideCharToMultiByte

WriteFile

Ys`6N

\.purple\

\Discord\tokens.txt

\Local Storage\leveldb

\Local Storage\leveldb\CURRENT

\Outlook\accounts.txt

\Steam\

\Telegram Desktop\

\Temp\

\config\

\discord\

_0.indexeddb.leveldb

accounts.xml

advapi32.dll

autofill

bcrypt.dll

browser:

browsers

build

card:

chrome

chrome-extension_

config.vdf

cookies.sqlite

crypt32.dll

dQw4w9WgXcQ

default

done

encryptedPassword

encryptedUsername

encrypted_key

file

file_name

files

firefox

formSubmitURL

formhistory.sqlite

freebl3.dll

gdi32.dll

gdiplus.dll

guid

history

http://77.91.76.36

https

hwid

key_datas

libraryfolders.vdf

logins.json

loginusers.vdf

lstrcatA

lstrcpyA

lstrcpynA

lstrlenA

map*

message

month:

mozglue.dll

msvcp140.dll

name:

nss3.dll

ntdll.dll

oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

ole32.dll

open

opera

password:

places.sqlite

plugins

profile:

profiles.ini

psapi.dll

q"`.]uz{P!?:Q

rstrtmgr.dll

runas

screenshot.jpg

shell32.dll

shlwapi.dll

soft

softokn3.dll

sqlite3.dll

sqlite3_close

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_text

sqlite3_finalize

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sscanf

ssfn*

system_info.txt

token

token:

url:

user32.dll

usernameField

vcruntime140.dll

wallets

wininet.dll

wsprintfA

wsprintfW

year:

|"by

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Clipper DOS Executable (2.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:02:05 11:11:45+01:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	178688
InitializedDataSize:	3793920
UninitializedDataSize:	-
EntryPoint:	0x895e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	21.0.0.0
ProductVersionNumber:	34.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Unknown (0373)
CharacterSet:	Unknown (63B6)
FileDescriptions:	Vellting
InternalName:	Bastard.exe
LegalTrademark1:	Fractal
OriginalFileName:	Lameros.exe
ProductName:	Jadocka
ProductVersion:	57.38.26

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2128

"C:\Users\admin\AppData\Local\Temp\20352dbd9ccbf5f92c6670ce2466942e.exe"

C:\Users\admin\AppData\Local\Temp\20352dbd9ccbf5f92c6670ce2466942e.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\20352dbd9ccbf5f92c6670ce2466942e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Stealc

(PID) Process(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe

C2http://77.91.76.36/3886d2276f6914c4.php

Keys

RC47823385150158962326987040273

Strings (346)" & del "C:\ProgramData\*.dll"" & exit

%08lX%04lX%lu

%APPDATA%

%DESKTOP%

%DOCUMENTS%

%LOCALAPPDATA%

%PROGRAMFILES%

%PROGRAMFILES_86%

%RECENT%

%USERPROFILE%

%d/%d/%d %d:%d:%d

%hu/%hu/%hu

*.ini

*.lnk

*.tox

- Architecture:

- CPU:

- Computer Name:

- Cores:

- Country: ISO?

- Display Resolution:

- GPU:

- HWID:

- IP: IP?

- Keyboards:

- Language:

- Laptop:

- Local Time:

- OS:

- RAM:

- Running Path:

- Threads:

- UTC:

- UserName:

.exe

.txt

/3886d2276f6914c4.php

/c start

/c timeout /t 5 & del /f /q "

/f059ec3d7eb90876/

00000001

00000002

00000003

00000004

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

All Users:

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptDestroyKey

BCryptGenerateSymmetricKey

BCryptOpenAlgorithmProvider

BCryptSetProperty

BitBlt

C:\ProgramData\

C:\ProgramData\nss3.dll

C:\Windows\system32\cmd.exe

CURRENT

CharToOemW

CloseHandle

CloseWindow

CoCreateInstance

CoInitialize

CoUninitialize

Content-Disposition: form-data; name="

Content-Type: multipart/form-data; boundary=----

CopyFileA

CreateCompatibleBitmap

CreateCompatibleD

CreateDCA

CreateEventA

CreateFileA

CreateStreamOnHGlobal

CreateToolhelp32Snapshot

CryptBinaryToStringA

CryptStringToBinaryA

CryptUnprotectData

Current User:

D877F783D5D3EF8C*

DISPLAY

DeleteFileA

DeleteObject

DialogConfig.vdf

DialogConfigOverlay*.vdf

DisplayName

DisplayVersion

EnumDisplayDevicesA

ExitProcess

F8806DD0C461824F*

FALSE

FindClose

FindFirstFileA

FindNextFileA

FreeLibrary

GdipCreateBitmaFromHBITMAP

GdipDisposeImage

GdipFree

GdipGetImageEncoders

GdipGetImageEncodersSize

GdipSaveImageToStream

GdiplusShutdown

GdiplusStartup

GetComputerNameA

GetCurrentProcess

GetCurrentProcessId

GetDC

GetDesktopWindow

GetDeviceCaps

GetEnvironmentVariableA

GetFileAttributesA

GetFileSize

GetFileSizeEx

GetHGlobalFromStream

GetKeyboardLayoutList

GetLastError

GetLocalTime

GetLocaleInfoA

GetLogicalProcessorInformationEx

GetModuleFileNameA

GetModuleFileNameExA

GetProcAddress

GetProcessHeap

GetSystemInfo

GetSystemPowerStatus

GetSystemTime

GetTimeZoneInformation

GetUserDefaultLangID

GetUserDefaultLocaleName

GetUserNameA

GetVolumeInformationA

GetWindowRect

GetWindowsDirectoryA

GlobalAlloc

GlobalFree

GlobalLock

GlobalMemoryStatusEx

GlobalSize

HAL9TH

HARDWARE\DESCRIPTION\System\CentralProcessor\0

HTTP/1.1

HeapAlloc

HeapFree

History

HttpOpenRequestA

HttpSendRequestA

IndexedDB

Installed Apps:

InternetCloseHandle

InternetConnectA

InternetCrackUrlA

InternetOpenA

InternetOpenUrlA

InternetReadFile

IsWow64Process

JohnDoe

LoadLibraryA

Local Extension Settings

Local State

LocalAlloc

LocalFree

MultiByteToWideChar

NSS_Init

NSS_Shutdown

Network

Network Info:

OpenEventA

OpenProcess

Opera

Opera GX Stable

Opera Stable

OperaGX

PATH

PK11SDR_Decrypt

PK11_Authenticate

PK11_FreeSlot

PK11_GetInternalKeySlot

POST

Password

PathMatchSpecA

Pidgin

Process List:

Process32First

Process32Next

ProcessorNameString

ProductName

ReadFile

RegCloseKey

RegEnumKeyExA

RegEnumValueA

RegOpenKeyExA

RegQueryValueExA

ReleaseDC

RmEndSession

RmGetList

RmRegisterResources

RmStartSession

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

SELECT fieldname, value FROM moz_formhistory

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT name, value ROM autofill

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

SELECT origin_url, username_value, password_value FROM logins

SELECT url FROM moz_places LIMIT 1000

SELECT url FROM urls LIMIT 1000

SHGetFolderPathA

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SelectObject

SetEnvironmentVariableA

SetFilePointer

ShellExecuteExA

Sleep

Software\Microsoft\Office\13.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\15.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\16.0\Outlok\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Valve\Steam

SteamPath

StrCmpCA

StrCmpCW

StrStrA

Sync Extension Settings

System Summary:

SystemTimeToFileTime

TJwB~1{(

TRUE

TerminateProcess

User Agents:

VMwareVMware

VirtualAlloc

VirtualAllocExNuma

VirtualFree

VirtualProtect

Web Data

WideCharToMultiByte

WriteFile

Ys`6N

\.purple\

\Discord\tokens.txt

\Local Storage\leveldb

\Local Storage\leveldb\CURRENT

\Outlook\accounts.txt

\Steam\

\Telegram Desktop\

\Temp\

\config\

\discord\

_0.indexeddb.leveldb

accounts.xml

advapi32.dll

autofill

bcrypt.dll

browser:

browsers

build

card:

chrome

chrome-extension_

config.vdf

cookies.sqlite

crypt32.dll

dQw4w9WgXcQ

default

done

encryptedPassword

encryptedUsername

encrypted_key

file

file_name

files

firefox

formSubmitURL

formhistory.sqlite

freebl3.dll

gdi32.dll

gdiplus.dll

guid

history

http://77.91.76.36

https

hwid

key_datas

libraryfolders.vdf

logins.json

loginusers.vdf

lstrcatA

lstrcpyA

lstrcpynA

lstrlenA

map*

message

month:

mozglue.dll

msvcp140.dll

name:

nss3.dll

ntdll.dll

oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

ole32.dll

open

opera

password:

places.sqlite

plugins

profile:

profiles.ini

psapi.dll

q"`.]uz{P!?:Q

rstrtmgr.dll

runas

screenshot.jpg

shell32.dll

shlwapi.dll

soft

softokn3.dll

sqlite3.dll

sqlite3_close

sqlite3_column_blob

sqlite3_column_bytes

sqlite3_column_text

sqlite3_finalize

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sscanf

ssfn*

system_info.txt

token

token:

url:

user32.dll

usernameField

vcruntime140.dll

wallets

wininet.dll

wsprintfA

wsprintfW

year:

|"by

Add for printing

Total events

259

Read events

247

Write events

Delete events

Modification events


(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2128) 20352dbd9ccbf5f92c6670ce2466942e.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2128	20352dbd9ccbf5f92c6670ce2466942e.exe	POST	200	77.91.76.36:80	http://77.91.76.36/3886d2276f6914c4.php	unknown	text	8 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2128	20352dbd9ccbf5f92c6670ce2466942e.exe	77.91.76.36:80	—	Foton Telecom CJSC	RU	unknown

DNS requests

No data

Threats

PID	Process	Class	Message
2128	20352dbd9ccbf5f92c6670ce2466942e.exe	Malware Command and Control Activity Detected	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
2128	20352dbd9ccbf5f92c6670ce2466942e.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Stealc

Add for printing

No debug info

General Info

20352dbd9ccbf5f92c6670ce2466942e.exe

20352DBD9CCBF5F92C6670CE2466942E

CD1E7635020841478C59F976260F5D7516CB709F

1E19E42B22CEBBF20EBA654F4FF460D06A903775730416106B8DBD35B41C3C81

6144:UZRn/f5EkZUkDc3rLA0iSLQzgjjMUpfb58iEdfcOXjX6fFXI+rQrc4q:oDEWUkDc33AVSLQzi48DGivXLKc4q

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

STEALC has been detected (YARA)

STEALC has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Reads the Internet Settings

Connects to the server without a host name

INFO

Checks proxy server information

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Malware configuration

Stealc

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

Stealc

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings