ScreenShot
| Created | 2024.07.06 18:30 | Machine | s1_win7_x6403 |
| Filename | stealc_zov.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 65 detected (AIDetectMalware, Stealerc, Windows, Threat, Malicious, score, Trojanpws, Zusy, Unsafe, Vwy9, GenusT, DXHC, Attribute, HighConfidence, Stealc, Artemis, BackdoorX, Fragtor, TrojanPSW, ccmw, DQwxTsXk3kJ, ZPACK, VIDAR, YXEF3Z, Real Protect, moderate, Detected, ai score=82, Malware@#1yk8h8m7sh7d6, ABTrojan, DVGN, R636928, BScope, PasswordStealer, GdSda, Gencirc, Static AI, Suspicious PE, susgen, confidence, GMH2XJC) | ||
| md5 | 253ccac8a47b80287f651987c0c779ea | ||
| sha256 | 262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f | ||
| ssdeep | 3072:ed5iO3xGNftsLz4oPNKMQgC6OFr41uIG5RaopW:ej3xGNVwlJ7OF08IQRa | ||
| imphash | 1ef0d6e4c3554a91026b47d9a27bf6db | ||
| impfuzzy | 24:Sq4/8Afb8J9Xu3zzGdlbtUalSfMcgJKuDRlY:Sq4/8Ob8r+33GXtp8fMzi | ||
Network IP location
Signature (18cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 65 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process stealc_zov.exe |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (9cnts) ?
Suricata ids
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Submitting System Information to C2
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Stealc Submitting Screenshot to C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x41c0a8 strncpy
0x41c0ac malloc
0x41c0b0 ??_V@YAXPAX@Z
0x41c0b4 memchr
0x41c0b8 ??_U@YAPAXI@Z
0x41c0bc strtok_s
0x41c0c0 strcpy_s
0x41c0c4 vsprintf_s
0x41c0c8 memmove
0x41c0cc memcpy
0x41c0d0 strlen
0x41c0d4 memset
0x41c0d8 memcmp
0x41c0dc __CxxFrameHandler3
KERNEL32.dll
0x41c000 GetCurrentThreadId
0x41c004 LocalAlloc
0x41c008 VirtualQueryEx
0x41c00c OpenProcess
0x41c010 ReadProcessMemory
0x41c014 GetLastError
0x41c018 HeapFree
0x41c01c UnhandledExceptionFilter
0x41c020 SetUnhandledExceptionFilter
0x41c024 IsDebuggerPresent
0x41c028 EncodePointer
0x41c02c DecodePointer
0x41c030 TerminateProcess
0x41c034 GetCurrentProcess
0x41c038 InitializeCriticalSectionAndSpinCount
0x41c03c LeaveCriticalSection
0x41c040 EnterCriticalSection
0x41c044 RtlUnwind
0x41c048 TlsGetValue
0x41c04c TlsSetValue
0x41c050 InterlockedIncrement
0x41c054 GetModuleHandleW
0x41c058 SetLastError
0x41c05c InterlockedDecrement
0x41c060 GetProcAddress
0x41c064 ExitProcess
0x41c068 Sleep
0x41c06c WriteFile
0x41c070 GetStdHandle
0x41c074 GetModuleFileNameW
0x41c078 GetCPInfo
0x41c07c GetACP
0x41c080 GetOEMCP
0x41c084 IsValidCodePage
0x41c088 LoadLibraryW
0x41c08c HeapAlloc
0x41c090 WideCharToMultiByte
0x41c094 LCMapStringW
0x41c098 MultiByteToWideChar
0x41c09c GetStringTypeW
0x41c0a0 RaiseException
EAT(Export Address Table) is none
msvcrt.dll
0x41c0a8 strncpy
0x41c0ac malloc
0x41c0b0 ??_V@YAXPAX@Z
0x41c0b4 memchr
0x41c0b8 ??_U@YAPAXI@Z
0x41c0bc strtok_s
0x41c0c0 strcpy_s
0x41c0c4 vsprintf_s
0x41c0c8 memmove
0x41c0cc memcpy
0x41c0d0 strlen
0x41c0d4 memset
0x41c0d8 memcmp
0x41c0dc __CxxFrameHandler3
KERNEL32.dll
0x41c000 GetCurrentThreadId
0x41c004 LocalAlloc
0x41c008 VirtualQueryEx
0x41c00c OpenProcess
0x41c010 ReadProcessMemory
0x41c014 GetLastError
0x41c018 HeapFree
0x41c01c UnhandledExceptionFilter
0x41c020 SetUnhandledExceptionFilter
0x41c024 IsDebuggerPresent
0x41c028 EncodePointer
0x41c02c DecodePointer
0x41c030 TerminateProcess
0x41c034 GetCurrentProcess
0x41c038 InitializeCriticalSectionAndSpinCount
0x41c03c LeaveCriticalSection
0x41c040 EnterCriticalSection
0x41c044 RtlUnwind
0x41c048 TlsGetValue
0x41c04c TlsSetValue
0x41c050 InterlockedIncrement
0x41c054 GetModuleHandleW
0x41c058 SetLastError
0x41c05c InterlockedDecrement
0x41c060 GetProcAddress
0x41c064 ExitProcess
0x41c068 Sleep
0x41c06c WriteFile
0x41c070 GetStdHandle
0x41c074 GetModuleFileNameW
0x41c078 GetCPInfo
0x41c07c GetACP
0x41c080 GetOEMCP
0x41c084 IsValidCodePage
0x41c088 LoadLibraryW
0x41c08c HeapAlloc
0x41c090 WideCharToMultiByte
0x41c094 LCMapStringW
0x41c098 MultiByteToWideChar
0x41c09c GetStringTypeW
0x41c0a0 RaiseException
EAT(Export Address Table) is none