9f958446ebb32ab8bffa0d3573f391dff2af026fa3cdac783d51b0906335b273

General

Target

grabbot_0.1.6.6.vir.exe
Size

548KB
MD5

a05f1cacb27ca3365c5abab71d7c64c4
SHA1

84e593a0d636994208d8a4c1e22ac52b39fe7c9e
SHA256

9f958446ebb32ab8bffa0d3573f391dff2af026fa3cdac783d51b0906335b273
SHA512

96346c6f8358ecd0a48d3c53531436b221cfcd2d72cc56e45cf98dfb2675f797ff1654b566b8f8d710c9ed264c611d830de14e341d75e4fbb3b308a57a7ac307

Score

7^/10

persistence spyware

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 126 IoCs

Processes:

grabbot_0.1.6.6.vir.exe

description	pid	process
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeSecurityPrivilege	676	grabbot_0.1.6.6.vir.exe
Token: SeBackupPrivilege	676	grabbot_0.1.6.6.vir.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

grabbot_0.1.6.6.vir.exeExplorer.EXE

pid process

676 grabbot_0.1.6.6.vir.exe
676 grabbot_0.1.6.6.vir.exe
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE

pid	process
676	grabbot_0.1.6.6.vir.exe
676	grabbot_0.1.6.6.vir.exe
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

grabbot_0.1.6.6.vir.exe

description	pid	process	target process
PID 676 wrote to memory of 1184	676	grabbot_0.1.6.6.vir.exe	Explorer.EXE
PID 676 wrote to memory of 1184	676	grabbot_0.1.6.6.vir.exe	Explorer.EXE
PID 676 wrote to memory of 1184	676	grabbot_0.1.6.6.vir.exe	Explorer.EXE

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE

pid	process
1184	Explorer.EXE

pid	process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

pid	process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A0563920-8700-4800-C000-14F57FAC8C} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{A0563920-8700-4800-C000-14F57FAC8C}\\hinotyafgl.exe\""	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Adds Run key to start application
PID:1184

C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.6.vir.exe
"C:\Users\Admin\AppData\Local\Temp\grabbot_0.1.6.6.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:676