Derin Statik Analiz — StealC | Tehdit: high
Dosya Kimliği
| SHA256 | b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e |
|---|---|
| MD5 | d5e2e6b8c0000408bac3946589ec5562 |
| SHA1 | e242f6507a82d5d089064e52f17cac1180b0d67c |
| Dosya Adı | install-1.5.exe |
| Boyut | 2975616 byte |
| Tür | /opt/ksentinel/samples/b9505282931ce703_install-1.5.exe: PE32+ executable (GUI) x86-64, for MS Windo |
| Derleme Tarihi | Bilinmiyor |
| Packer | UPX |
C2 Sunucuları / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
godebugs.Info | Domain | active |
www.pakistani.org | Domain | active |
Tespit Edilen IOC'lar
| Değer | Tip |
|---|---|
godebugs.Info | Domain |
www.pakistani.org | Domain |
Yetenekler
- TCP/Raw Socket C2
Base64 Decode:
B64:1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 => [hhX B64:213877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 =>
Geliştirici İpuçları
Telegram: @6nUa @AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBB @COMU @mA2_ @mA2_6
PE Analizi
PE Güvenlik Taraması
file entropy: 7.079141 (probably packed) fpu anti-disassembly: no imagebase: suspicious entrypoint: normal DOS stub: normal TLS directory: not found timestamp: zero
Import Tablosu (özet)
Imported functions
Library
Name: kernel32.dll
Functions
Function
Hint: 0
Name: WriteFile
Function
Hint: 0
Name: WriteConsoleW
Function
Aile Tespiti — String Kanıtı
String kanıtı bulunamadı (obfuscated).
StealC — Malware Profile
StealC, 2023 yilinda ortaya cikan Go (Golang) tabanlı bir MaaS infostealer ailesidir. Vidar ve Raccoon kaynak kodundan ilham alinarak gelistirildigi dusunulmektedir. 30+ tarayici, kripto cuzdan, FTP istemcisi, email ve Discord/Telegram token hedefler.
Malware Type
Infostealer
Programming Language
C
C2 Protocol
HTTP
Target Systems
Windows
Technical Details
C dili, HTTP POST C2, browser stealer (Chromium/Firefox), kripto wallet stealer (50+ tarayici eklentisi), Telegram stealer, Steam, Discord token stealer, fingerprint modulu
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (5 indicators)
IOC — StealC
#
e242f6507a82d5d089064e52f17cac1180b0d67c
# SHA256
b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e
# MD5
d5e2e6b8c0000408bac3946589ec5562
# DOMAIN
godebugs.Info
# DOMAIN
www.pakistani.org
| Type | Value | Note |
|---|---|---|
| e242f6507a82d5d089064e52f17cac1180b0d67c | ||
| sha256 | b9505282931ce70307a14689daf7767ba1124113c24c7e174499bb5331351a5e | |
| md5 | d5e2e6b8c0000408bac3946589ec5562 | |
| domain | godebugs.Info | |
| domain | www.pakistani.org |
C2 Servers (4 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| www.pakistani.org | domain | — | HTTP | active | — |
| 45.87.152.64 | ip | 80 | HTTP | inactive | NL |
| 185.174.137.219 | ip | 80 | HTTP | inactive | RU |
| godebugs.Info | domain | — | HTTP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.