crypted[1].bin
General
Target
Filesize
Completed
crypted[1].bin
N/A
29-11-2019 16:22
Score
10
/10
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Malware Config
Signatures 40
Filter: none
Collection
Credential Access
Defense Evasion
Discovery
-
Reads Secure browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 1304 crypted[1].bin.exe -
Reads Uran user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 1304 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\TorBro\Profile\ 1304 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 1304 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 1304 crypted[1].bin.exe -
Reads 7star user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 1304 crypted[1].bin.exe -
Reads Torch user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Torch\User Data\ 1304 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 1304 crypted[1].bin.exe -
Suspicious use of SetWindowsHookExcrypted[1].bin.exe
Reported IOCs
pid process 1304 crypted[1].bin.exe -
crypted[1].bin.exe
Reported IOCs
ioc drive.google.com File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 1304 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php HTTP URL http://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate -
Reads Sputnik user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 1304 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 1304 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 1304 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 1304 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Amigo\User Data\ 1304 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 1304 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Suhba\User Data\ 1304 crypted[1].bin.exe -
Checks for installed software on the systemcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
description ioc pid process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 1304 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Chromium\User Data\ 1304 crypted[1].bin.exe -
Reads Dragon user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 1304 crypted[1].bin.exe -
Runs ping.exePING.EXE
Tags
TTPs
Reported IOCs
pid process 1232 PING.EXE -
Reads Kometa user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Kometa\User Data\ 1304 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Superbird\User Data\ 1304 crypted[1].bin.exe -
Modifies system certificate storecrypted[1].bin.exe
Tags
TTPs
Reported IOCs
description ioc pid process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 1304 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 1304 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 1304 crypted[1].bin.exe -
Deletes itselfcmd.exe
Reported IOCs
pid process 1800 cmd.exe -
Reads Chrome SxS user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 1304 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Bromium\User Data\ 1304 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Chedot\User Data\ 1304 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 1304 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
description ioc pid process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 1304 crypted[1].bin.exe -
Suspicious use of WriteProcessMemorycrypted[1].bin.execmd.exe
Reported IOCs
description pid process target process PID 1304 wrote to memory of 1800 1304 crypted[1].bin.exe cmd.exe PID 1800 wrote to memory of 1232 1800 cmd.exe PING.EXE -
raccoon family
Tags
-
Loads dropped DLLcrypted[1].bin.exe
Reported IOCs
pid process 1304 crypted[1].bin.exe -
Reads Go! user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Go!\User Data\ 1304 crypted[1].bin.exe
Processes 4
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Accesses Bither wallet, possible credential harvestingChecks for installed software on the systemLoads dropped DLLModifies system certificate storeReads 7star user data, possible credential harvestingReads Amigo user data, possible credential harvestingReads Bromium user data, possible credential harvestingReads Centbrowser user data, possible credential harvestingReads Chedot user data, possible credential harvestingReads Chrome SxS user data, possible credential harvestingReads Chrome user data, possible credential harvestingReads Chromium user data, possible credential harvestingReads Dragon user data, possible credential harvestingReads Elements browser user data, possible credential harvestingReads Epic privacy browser user data, possible credential harvestingReads Firefox user profile, possible credential harvestingReads Go! user data, possible credential harvestingReads Kometa user data, possible credential harvestingReads Mustang user data, possible credential harvestingReads Nichrome user data, possible credential harvestingReads Orbitum user data, possible credential harvestingReads Pale Moon browser user profile, possible credential harvestingReads Qip surf user data, possible credential harvestingReads Rockmelt user data, possible credential harvestingReads Secure browser user data, possible credential harvestingReads Sputnik user data, possible credential harvestingReads Suhba user data, possible credential harvestingReads Superbird user data, possible credential harvestingReads Tor Browser user profile, possible credential harvestingReads Torch user data, possible credential harvestingReads Uran user data, possible credential harvestingReads Vivaldi user data, possible credential harvestingReads Waterfox user profile, possible credential harvestingReads user profile for Thunderbird email client, possible credential harvestingSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Deletes itselfSuspicious use of WriteProcessMemory
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 3000Runs ping.exe
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads