File name: | 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe |
Full analysis: | https://app.any.run/tasks/56ce904a-2fc5-4d31-9ff2-5d416b032d73 |
Verdict: | Malicious activity |
Threats: | Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. |
Analysis date: | May 19, 2024, 12:54:33 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 347044F36D5C438D45D1E1A19333BFC4 |
SHA1: | 7879A5CD293ACBFA57CD81D6417FC7D1FFD4D5C2 |
SHA256: | 5CE986AA91B63B877B80363406C71947E6CAC66D4D8A77D4F9CA2C87B15F70C5 |
SSDEEP: | 6144:eEEeszYh8Zin6cvvBUXpm161SYFsXbyrtZngDyeHcDV/VC0ATUjS4I8LVVN:e0wY6ZinNved57V/VvVVN |
.exe | | | Win32 Executable MS Visual C++ (generic) (46.3) |
---|---|---|
.exe | | | Win64 Executable (generic) (41) |
.exe | | | Win32 Executable (generic) (6.6) |
.exe | | | Generic Win/DOS Executable (2.9) |
.exe | | | DOS Executable Generic (2.9) |
FileSubtype: | - |
---|---|
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | Debug, Pre-release, Patched, Private build, Special build |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 24.0.0.0 |
FileVersionNumber: | 68.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x1602 |
UninitializedDataSize: | - |
InitializedDataSize: | 32808448 |
CodeSize: | 37376 |
LinkerVersion: | 9 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, 32-bit |
TimeStamp: | 2022:12:26 03:22:29+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3808 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3640 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1752 | "C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe" | C:\Users\admin\Desktop\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
Stealc(PID) Process(1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe C2185.172.128.170 Strings (351)INSERT_KEY_HERE 27 05 20 24 GetProcAddress LoadLibraryA lstrcatA OpenEventA CreateEventA CloseHandle Sleep GetUserDefaultLangID VirtualAllocExNuma VirtualFree GetSystemInfo VirtualAlloc HeapAlloc GetComputerNameA lstrcpyA GetProcessHeap GetCurrentProcess lstrlenA ExitProcess GlobalMemoryStatusEx GetSystemTime SystemTimeToFileTime advapi32.dll gdi32.dll user32.dll crypt32.dll ntdll.dll GetUserNameA CreateDCA GetDeviceCaps ReleaseDC CryptStringToBinaryA sscanf VMwareVMware HAL9TH JohnDoe DISPLAY %hu/%hu/%hu http://185.172.128.170 /7043a0c6a68d9c65.php /8420e83ceb95f3af/ default11 GetEnvironmentVariableA GetFileAttributesA GlobalLock HeapFree GetFileSize GlobalSize CreateToolhelp32Snapshot IsWow64Process Process32Next GetLocalTime FreeLibrary GetTimeZoneInformation GetSystemPowerStatus GetVolumeInformationA GetWindowsDirectoryA Process32First GetLocaleInfoA GetUserDefaultLocaleName GetModuleFileNameA DeleteFileA FindNextFileA LocalFree FindClose SetEnvironmentVariableA LocalAlloc GetFileSizeEx ReadFile SetFilePointer WriteFile CreateFileA FindFirstFileA CopyFileA VirtualProtect GetLogicalProcessorInformationEx GetLastError lstrcpynA MultiByteToWideChar GlobalFree WideCharToMultiByte GlobalAlloc OpenProcess TerminateProcess GetCurrentProcessId gdiplus.dll ole32.dll bcrypt.dll wininet.dll shlwapi.dll shell32.dll psapi.dll rstrtmgr.dll CreateCompatibleBitmap SelectObject BitBlt DeleteObject CreateCompatibleDC GdipGetImageEncodersSize GdipGetImageEncoders GdipCreateBitmapFromHBITMAP GdiplusStartup GdiplusShutdown GdipSaveImageToStream GdipDisposeImage GdipFree GetHGlobalFromStream CreateStreamOnHGlobal CoUninitialize CoInitialize CoCreateInstance BCryptGenerateSymmetricKey BCryptCloseAlgorithmProvider BCryptDecrypt BCryptSetProperty BCryptDestroyKey BCryptOpenAlgorithmProvider GetWindowRect GetDesktopWindow GetDC CloseWindow wsprintfA EnumDisplayDevicesA GetKeyboardLayoutList CharToOemW wsprintfW RegQueryValueExA RegEnumKeyExA RegOpenKeyExA RegCloseKey RegEnumValueA CryptBinaryToStringA CryptUnprotectData SHGetFolderPathA ShellExecuteExA InternetOpenUrlA InternetConnectA InternetCloseHandle InternetOpenA HttpSendRequestA HttpOpenRequestA InternetReadFile InternetCrackUrlA StrCmpCA StrStrA StrCmpCW PathMatchSpecA GetModuleFileNameExA RmStartSession RmRegisterResources RmGetList RmEndSession sqlite3_open sqlite3_prepare_v2 sqlite3_step sqlite3_column_text sqlite3_finalize sqlite3_close sqlite3_column_bytes sqlite3_column_blob encrypted_key PATH C:\ProgramData\nss3.dll NSS_Init NSS_Shutdown PK11_GetInternalKeySlot PK11_FreeSlot PK11_Authenticate PK11SDR_Decrypt C:\ProgramData\ SELECT origin_url, username_value, password_value FROM logins browser: profile: url: login: password: Opera OperaGX Network cookies .txt SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies TRUE FALSE autofill SELECT name, value FROM autofill history SELECT url FROM urls LIMIT 1000 cc SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards name: month: year: card: Cookies Login Data Web Data History logins.json formSubmitURL usernameField encryptedUsername encryptedPassword guid SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies SELECT fieldname, value FROM moz_formhistory SELECT url FROM moz_places LIMIT 1000 cookies.sqlite formhistory.sqlite places.sqlite plugins Local Extension Settings Sync Extension Settings IndexedDB Opera Stable Opera GX Stable CURRENT chrome-extension_ _0.indexeddb.leveldb Local State profiles.ini chrome opera firefox wallets %08lX%04lX%lu SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName x32 x64 %d/%d/%d %d:%d:%d HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion Network Info: - IP: IP? - Country: ISO? System Summary: - HWID: - OS: - Architecture: - UserName: - Computer Name: - Local Time: - UTC: - Language: - Keyboards: - Laptop: - Running Path: - CPU: - Threads: - Cores: - RAM: - Display Resolution: - GPU: User Agents: Installed Apps: All Users: Current User: Process List: system_info.txt freebl3.dll mozglue.dll msvcp140.dll nss3.dll softokn3.dll vcruntime140.dll \Temp\ .exe runas open /c start %DESKTOP% %APPDATA% %LOCALAPPDATA% %USERPROFILE% %DOCUMENTS% %PROGRAMFILES% %PROGRAMFILES_86% %RECENT% *.lnk files \discord\ \Local Storage\leveldb\CURRENT \Local Storage\leveldb \Telegram Desktop\ key_datas D877F783D5D3EF8C* map* A7FDF864FBC10B77* A92DAA6EA6F891F2* F8806DD0C461824F* Telegram Tox *.tox *.ini Password Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\ 00000001 00000002 00000003 00000004 \Outlook\accounts.txt Pidgin \.purple\ accounts.xml dQw4w9WgXcQ token: Software\Valve\Steam SteamPath \config\ ssfn* config.vdf DialogConfig.vdf DialogConfigOverlay*.vdf libraryfolders.vdf loginusers.vdf \Steam\ sqlite3.dll browsers done soft \Discord\tokens.txt /c timeout /t 5 & del /f /q " " & del "C:\ProgramData\*.dll"" & exit C:\Windows\system32\cmd.exe https Content-Type: multipart/form-data; boundary=---- POST HTTP/1.1 Content-Disposition: form-data; name=" hwid build token file_name file message ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 screenshot.jpg | |||||||||||||||
5032 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1752 -s 1236 | C:\Windows\SysWOW64\WerFault.exe | 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
3244 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
|
(PID) Process: | (3808) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3808) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3808) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3808) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1752) 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3808 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
5032 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5ce986aa91b63b87_89d98c7c9a4c9d6e58cd5394efb58833d3ba4_55d8319c_ca2f7c5e-47cd-4726-a44f-e8bda33eef42\Report.wer | — | |
MD5:— | SHA256:— | |||
5032 | WerFault.exe | C:\WINDOWS\AppCompat\Programs\Amcache.hve | binary | |
MD5:E408A297050FC1938846C25BE5C8816A | SHA256:FA7A7398536B5A09B6DCF3F431FC11DCBC146A3E3C5FDF682F734F9C8DDC0F3A | |||
3808 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:2F2C2A2EE732DF86493C15C8C19FF07D | SHA256:688BC8CD8C893812A1FC3494786E7CFEF0F2350EA7F325272BE12A929272DE4B | |||
5032 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER77DC.tmp.dmp | binary | |
MD5:442A9C6D3E2ED84EE49B3544455EAC46 | SHA256:F43213AB588B30E6755D13FE65E0395C3C9A87FA2D860E7A6169BE1ECCFA4127 | |||
5032 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe.1752.dmp | dmp | |
MD5:481FD31DD22CDC3BD53ED9F4072D1D48 | SHA256:3651C53D61AB344439C9E0E0BED9A8DAB47F70155662A7442FD17B451CAA9830 | |||
3808 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C496LCMJG21Z6Y36W2ZB.temp | binary | |
MD5:A73735197A95AAE684F34215D590971B | SHA256:AE7F65206A7EAB9AE3AE1C51972780D9D7FC75CDDE42D8A1517B7EEE039B412E | |||
3244 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-19.1256.3244.1.odl | binary | |
MD5:3372A8BB710AE0F2097C2E04893D2C8C | SHA256:B6ED8D47C11A2206C55B51CF75786066A51DEC39608662B0D63906C4B3F7444B | |||
3244 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-19.1256.3244.1.aodl | binary | |
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3 | SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94 | |||
5032 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AAC.tmp.WERInternalMetadata.xml | xml | |
MD5:CC610C6E9861744F2C295447FC948FD6 | SHA256:F3F4E0578E5E725F6E3EA1A091A8DB86592BEC03FB542D2AA066135FB459A9D3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5140 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1752 | 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | POST | 200 | 185.172.128.170:80 | http://185.172.128.170/7043a0c6a68d9c65.php | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 20.189.173.12:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2492 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
5140 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
1752 | 5ce986aa91b63b877b80363406c71947e6cac66d4d8a77d4f9ca2c87b15f70c5.exe | 185.172.128.170:80 | — | OOO Nadym Svyaz Service | RU | malicious |
5456 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5032 | WerFault.exe | 13.89.179.12:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2908 | OfficeClickToRun.exe | 20.189.173.13:443 | self.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Stealc |
— | — | Malware Command and Control Activity Detected | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in |