Analysis
-
max time kernel
149s -
max time network
63s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
17-07-2020 08:53
Static task
static1
Behavioral task
behavioral1
Sample
DataStealer (1).bin.exe
Resource
win7
General
-
Target
DataStealer (1).bin.exe
-
Size
1.1MB
-
MD5
0169eccba69a58cdffbb1dce2863ae8f
-
SHA1
9718f39bb9307a1b95d9bb403262ffce82758074
-
SHA256
9a3b89ea2396b22020fc8e3bde1b832ca70d8b875b088f451f54e85f359380df
-
SHA512
97ca44993d2a1cf2ecbd423b29bbcea2a500de96b7f7a899ed77d5836f1d111311ee19770c1a20caffeeadc64ccb98e86d1618779b48470f29f94d0eb5f75750
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DataStealer (1).bin.exepid process 3812 DataStealer (1).bin.exe 3812 DataStealer (1).bin.exe -
Echelon log file 1 IoCs
Detects a log file produced by Echelon.
Processes:
yara_rule echelon_log_file -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org 2 api.ipify.org 3 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DataStealer (1).bin.exedescription pid process Token: SeDebugPrivilege 3812 DataStealer (1).bin.exe