Source: 00000000.00000003.2099802766.0000000004920000.00000004.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: StealC {"C2 url": "http://45.88.76.238/3b55d279dd60140c.php", "Botnet": "LogsDiller"} |
Source: 5BQwrSLxIZ.exe |
ReversingLabs: Detection: 34% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, |
0_2_0040A2B0 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, |
0_2_00419030 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, |
0_2_0040C920 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, |
0_2_0040A210 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, |
0_2_004072A0 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_6C8BB040 BCryptGenRandom,SystemFunction036, |
0_2_6C8BB040 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Unpacked PE file: 0.2.5BQwrSLxIZ.exe.400000.0.unpack |
Source: 5BQwrSLxIZ.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: unknown |
HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49906 version: TLS 1.0 |
Source: unknown |
HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.5:49714 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49725 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.5:49726 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49737 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 40.126.32.72:443 -> 192.168.2.5:49832 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 40.126.32.72:443 -> 192.168.2.5:49843 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.5:49959 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 40.126.32.72:443 -> 192.168.2.5:49987 version: TLS 1.2 |
Source: |
Binary string: my_library.pdbU source: 5BQwrSLxIZ.exe, 00000000.00000003.2099802766.0000000004920000.00000004.00001000.00020000.00000000.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2752257198.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2754655975.0000000004840000.00000040.00001000.00020000.00000000.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2771618992.000000006C901000.00000002.00000001.01000000.00000007.sdmp, chrome.dll.0.dr |
Source: |
Binary string: my_library.pdb source: 5BQwrSLxIZ.exe, 5BQwrSLxIZ.exe, 00000000.00000003.2099802766.0000000004920000.00000004.00001000.00020000.00000000.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2752257198.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2754655975.0000000004840000.00000040.00001000.00020000.00000000.sdmp, 5BQwrSLxIZ.exe, 00000000.00000002.2771618992.000000006C901000.00000002.00000001.01000000.00000007.sdmp, chrome.dll.0.dr |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, |
0_2_0040E530 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, |
0_2_0040BE40 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, |
0_2_004140F0 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, |
0_2_0040EE20 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, |
0_2_00414B60 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, |
0_2_00413B00 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, |
0_2_0040DF10 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, |
0_2_00401710 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, |
0_2_004147C0 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, |
0_2_0040DB80 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, |
0_2_0040F7B0 |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
Code function: 0_2_6C8F717D FindFirstFileExW, |
0_2_6C8F717D |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ |
Jump to behavior |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ |
Jump to behavior |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ |
Jump to behavior |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ |
Jump to behavior |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ |
Jump to behavior |
Source: C:\Users\user\Desktop\5BQwrSLxIZ.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ |
Jump to behavior |
Source: chrome.exe |
Memory has grown: Private usage: 8MB later: 40MB |
Source: Network traffic |
Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 45.88.76.238:80 |
Source: Network traffic |
Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 45.88.76.238:80 |
Source: Network traffic |
Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.88.76.238:80 -> 192.168.2.5:49704 |
Source: Network traffic |
Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 45.88.76.238:80 |
Source: Network traffic |
Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.88.76.238:80 -> 192.168.2.5:49704 |
Source: Network traffic |
Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 45.88.76.238:80 |
Source: Malware configuration extractor |
URLs: http://45.88.76.238/3b55d279dd60140c.php |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Oct 2024 17:42:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 |