ScreenShot
| Created | 2024.08.01 08:45 | Machine | s1_win7_x6403 |
| Filename | stealc_valenciga.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | |||
| md5 | cb24cc9c184d8416a66b78d9af3c06a2 | ||
| sha256 | 53ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6 | ||
| ssdeep | 3072:iJlgTFj5qDao8KaxfE54HnnGSail+bOX8b/aB9GVFHJKa:iJ65j5Ka2aOanGSabYZTOFpKa | ||
| imphash | 75f38a281962eafd8c14d2b02cfcdab6 | ||
| impfuzzy | 24:j/8Wfb8J93qsQCTBlR1YzGWtU9fMyDkfjY/J3IQ:j/8Mb8r3qVCTBv1kGWtcfMzKj | ||
Network IP location
Signature (17cnts)
| Level | Description |
|---|---|
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Communicates with host for which no DNS query was performed |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process stealc_valenciga.exe |
| notice | Creates executable files on the filesystem |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Performs some HTTP requests |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Sends data using the HTTP POST Method |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (16cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win32_Trojan_Gen_1_0904B0_Zero | Win32 Trojan Emotet | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
Network (10cnts) ?
Suricata ids
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x41e0ac strncpy
0x41e0b0 ??_V@YAXPAX@Z
0x41e0b4 memchr
0x41e0b8 ??_U@YAPAXI@Z
0x41e0bc strtok
0x41e0c0 strtok_s
0x41e0c4 strcpy_s
0x41e0c8 vsprintf_s
0x41e0cc memmove
0x41e0d0 strlen
0x41e0d4 malloc
0x41e0d8 free
0x41e0dc memcmp
0x41e0e0 ??2@YAPAXI@Z
0x41e0e4 memset
0x41e0e8 memcpy
0x41e0ec __CxxFrameHandler3
KERNEL32.dll
0x41e000 InitializeCriticalSectionAndSpinCount
0x41e004 WideCharToMultiByte
0x41e008 RaiseException
0x41e00c GetStringTypeW
0x41e010 MultiByteToWideChar
0x41e014 LCMapStringW
0x41e018 IsValidCodePage
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c VirtualQueryEx
0x41e030 OpenProcess
0x41e034 ReadProcessMemory
0x41e038 WriteFile
0x41e03c GetOEMCP
0x41e040 GetACP
0x41e044 UnhandledExceptionFilter
0x41e048 SetUnhandledExceptionFilter
0x41e04c IsDebuggerPresent
0x41e050 EncodePointer
0x41e054 DecodePointer
0x41e058 TerminateProcess
0x41e05c GetCurrentProcess
0x41e060 LeaveCriticalSection
0x41e064 EnterCriticalSection
0x41e068 RtlUnwind
0x41e06c GetProcAddress
0x41e070 GetModuleHandleW
0x41e074 ExitProcess
0x41e078 Sleep
0x41e07c GetStdHandle
0x41e080 GetModuleFileNameW
0x41e084 GetLastError
0x41e088 LoadLibraryW
0x41e08c TlsGetValue
0x41e090 TlsSetValue
0x41e094 InterlockedIncrement
0x41e098 SetLastError
0x41e09c GetCurrentThreadId
0x41e0a0 InterlockedDecrement
0x41e0a4 GetCPInfo
EAT(Export Address Table) is none
msvcrt.dll
0x41e0ac strncpy
0x41e0b0 ??_V@YAXPAX@Z
0x41e0b4 memchr
0x41e0b8 ??_U@YAPAXI@Z
0x41e0bc strtok
0x41e0c0 strtok_s
0x41e0c4 strcpy_s
0x41e0c8 vsprintf_s
0x41e0cc memmove
0x41e0d0 strlen
0x41e0d4 malloc
0x41e0d8 free
0x41e0dc memcmp
0x41e0e0 ??2@YAPAXI@Z
0x41e0e4 memset
0x41e0e8 memcpy
0x41e0ec __CxxFrameHandler3
KERNEL32.dll
0x41e000 InitializeCriticalSectionAndSpinCount
0x41e004 WideCharToMultiByte
0x41e008 RaiseException
0x41e00c GetStringTypeW
0x41e010 MultiByteToWideChar
0x41e014 LCMapStringW
0x41e018 IsValidCodePage
0x41e01c lstrlenA
0x41e020 HeapAlloc
0x41e024 GetProcessHeap
0x41e028 VirtualProtect
0x41e02c VirtualQueryEx
0x41e030 OpenProcess
0x41e034 ReadProcessMemory
0x41e038 WriteFile
0x41e03c GetOEMCP
0x41e040 GetACP
0x41e044 UnhandledExceptionFilter
0x41e048 SetUnhandledExceptionFilter
0x41e04c IsDebuggerPresent
0x41e050 EncodePointer
0x41e054 DecodePointer
0x41e058 TerminateProcess
0x41e05c GetCurrentProcess
0x41e060 LeaveCriticalSection
0x41e064 EnterCriticalSection
0x41e068 RtlUnwind
0x41e06c GetProcAddress
0x41e070 GetModuleHandleW
0x41e074 ExitProcess
0x41e078 Sleep
0x41e07c GetStdHandle
0x41e080 GetModuleFileNameW
0x41e084 GetLastError
0x41e088 LoadLibraryW
0x41e08c TlsGetValue
0x41e090 TlsSetValue
0x41e094 InterlockedIncrement
0x41e098 SetLastError
0x41e09c GetCurrentThreadId
0x41e0a0 InterlockedDecrement
0x41e0a4 GetCPInfo
EAT(Export Address Table) is none