9a171356b47003ea038e123e7fd636d491b48fdef992155d422ce46f8e8d3518

Analysis

max time kernel
15s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
23-02-2021 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83409b2b12d2a4ac2a46a4758d155d59.exe
Size

6.5MB
MD5

83409b2b12d2a4ac2a46a4758d155d59
SHA1

d12a9bf78ada72e3bf6a8e97805e281b789d25b4
SHA256

9a171356b47003ea038e123e7fd636d491b48fdef992155d422ce46f8e8d3518
SHA512

c18ca02e545cc7aa603a8e4d9f071bbd1ab52a98918de8a4bb0a8a21ea702c698c716dece1175c07917e9bf4db511b8b15366402e64bc28cb60fe952e14776b2

Score

7^/10

spyware

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

83409b2b12d2a4ac2a46a4758d155d59.exe

pid	process
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe
1500	83409b2b12d2a4ac2a46a4758d155d59.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 api.ipify.org

flow	ioc
6	api.ipify.org
7	api.ipify.org

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

83409b2b12d2a4ac2a46a4758d155d59.exe

description	pid	process	target process
PID 636 wrote to memory of 1500	636	83409b2b12d2a4ac2a46a4758d155d59.exe	83409b2b12d2a4ac2a46a4758d155d59.exe
PID 636 wrote to memory of 1500	636	83409b2b12d2a4ac2a46a4758d155d59.exe	83409b2b12d2a4ac2a46a4758d155d59.exe

C:\Users\Admin\AppData\Local\Temp\83409b2b12d2a4ac2a46a4758d155d59.exe
"C:\Users\Admin\AppData\Local\Temp\83409b2b12d2a4ac2a46a4758d155d59.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\83409b2b12d2a4ac2a46a4758d155d59.exe
"C:\Users\Admin\AppData\Local\Temp\83409b2b12d2a4ac2a46a4758d155d59.exe"
2⤵
- Loads dropped DLL
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI6362\VCRUNTIME140.dll
MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_bz2.pyd
MD5
8394e82d52e784e535b1ec992a7f8c32

SHA1
fd86dc3b455943456697e03977ccdace4053ef8b

SHA256
c019f25325597213805cbf7b1049b85d7ae7369c73114ccd1bea5d189a8ff978

SHA512
7fccf96a9b259e7fbd0a4d928b29ab4736843ae659d2b02466d4395f1a57c8212eb7730a25d9fb665062f77a980e3cdb6aac820791dfa98f4028addc22286df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_ctypes.pyd
MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_hashlib.pyd
MD5
0e06dabd422e093cd7e98e1be6150e8f

SHA1
215e88d0766fb614ab5d4fee27b53af0c289d86f

SHA256
4df493fedb9b7dd97cad3803dc7ae89e98a029fd4ede738a32f489699292c97f

SHA512
0585cc9db3f6146ba2af3e30fcba3b6ef2a91f3c37f241dad6c88bd2cfdba0016a148682a4a6fa665e575b1fc761e4c84f679ea009d230c3d969bf4bcffe99b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_lzma.pyd
MD5
ae9c6dc60d0c38ab10cb7db602ef4243

SHA1
59524ba8b6aa161faad69ad10ac8b707962dd64d

SHA256
589f36321db4db388639353dfa31e0c66e3d1926f0bb29166df3dc9c33624c0e

SHA512
c56b2d739a7854c8e71fe935c2b6c0cbdc9915d73c8ea6445c6b0c4a066d42be13befb1149507c86ea6b404ccd71e7a2d5a12a1101bc9fc886c60c47beb3e4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_socket.pyd
MD5
281d795dcee077b9584bee76d1215491

SHA1
e4b3d62dfc026ea9fc79f8707f5064b907cc31fc

SHA256
e4314a553d10c1cbfecaca60fdd10491c44c8cc1fe577e7ec0478fab02e7de74

SHA512
f8a903a944d5fe25a7c005d0e5af84ae798f2ce21b1e0cfaf0643544947bfd8f0935888e15b2d015c9b155aa96289339d534cee540fcbbf0cdb0f75503be6879

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_ssl.pyd
MD5
0a73996c42e200e23ed2c8666ab3e21e

SHA1
513ddf3a55f8e512b7815e82ee7e05c979ebe2cd

SHA256
5749e35f1135e86e20222c246fcccf2f80358721cd05d56988c3a036b8cb7591

SHA512
cc0bb58a0c4f4cefcdb42b3c5af4447e4784a29b6abcbf200bf70897ed49d0cb7d13516544ca43b9b0681b0828e529dd5200f1de2371be6b98299e58e901f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\base_library.zip
MD5
5e9d48f470de8392cbc0a01880964f85

SHA1
7a2a41c8c7c38ee096d7810f90e19b63bcb8deca

SHA256
4e52bb6006cfd4cd92ef84fbe46966d4bf3483b9141aabd09f4b4115fdea0019

SHA512
104aab162cce785a801e4a6208258aae764e37356d8519454581eb01afe565a858212f55fec0d654c750f801787bff5e2b9a48c09e86eb1e48d1c1030da96130

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\python38.dll
MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\select.pyd
MD5
53dc8b954b1666a6b763af2987090811

SHA1
623224a6bd4e892fe4ed0efbbc48da6a0fd8f9d1

SHA256
088cee4291aa57c0745aacd33cc7761451cbc668b10507fb9ca8af7dfdc1bffa

SHA512
c9742b33fc192b7fd5aee36783fb0ee0f4715415d4dc6567807bc92cfd756e65963d342238f108facac62a73384a6d1bc19fb2094cac398dc62cab60e51780d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\unicodedata.pyd
MD5
ae6ca1fd8c4755743efa6c326f6488d0

SHA1
99f17eea9329894ed83587b8e34a8f99272e1c22

SHA256
c8b48d5d323faaf49fc96eed77a623c2ed07fbe4a8efc97e04350c0031789b89

SHA512
05406fc8939b8a5aa942cb2f5d97fcb8f732a836a2f010549d39223c4244e734917b5c8de5a5507e4069879f45c928108bb8041af8900dfca4a971750e54e3ce

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\VCRUNTIME140.dll
MD5
18571d6663b7d9ac95f2821c203e471f

SHA1
3c186018df04e875d6b9f83521028a21f145e3be

SHA256
0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f

SHA512
c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_bz2.pyd
MD5
8394e82d52e784e535b1ec992a7f8c32

SHA1
fd86dc3b455943456697e03977ccdace4053ef8b

SHA256
c019f25325597213805cbf7b1049b85d7ae7369c73114ccd1bea5d189a8ff978

SHA512
7fccf96a9b259e7fbd0a4d928b29ab4736843ae659d2b02466d4395f1a57c8212eb7730a25d9fb665062f77a980e3cdb6aac820791dfa98f4028addc22286df3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_ctypes.pyd
MD5
890e9cfab85234fad3f1ae83b092c7cc

SHA1
85419a7cb1e1fa0275b07cf451c1125c31e8b1f7

SHA256
99a40375974e560d0ed9756dcfb77ac3aaaecf2434b442f0f3df908cfe7e821f

SHA512
421d5c161046f57b5d7f94eb628f041b029ff229f08bf0f211d1432b6501ffefa2a57829e74284101f6746f61add1461f1125aefdf3d39027492427a509aa511

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_hashlib.pyd
MD5
0e06dabd422e093cd7e98e1be6150e8f

SHA1
215e88d0766fb614ab5d4fee27b53af0c289d86f

SHA256
4df493fedb9b7dd97cad3803dc7ae89e98a029fd4ede738a32f489699292c97f

SHA512
0585cc9db3f6146ba2af3e30fcba3b6ef2a91f3c37f241dad6c88bd2cfdba0016a148682a4a6fa665e575b1fc761e4c84f679ea009d230c3d969bf4bcffe99b5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_lzma.pyd
MD5
ae9c6dc60d0c38ab10cb7db602ef4243

SHA1
59524ba8b6aa161faad69ad10ac8b707962dd64d

SHA256
589f36321db4db388639353dfa31e0c66e3d1926f0bb29166df3dc9c33624c0e

SHA512
c56b2d739a7854c8e71fe935c2b6c0cbdc9915d73c8ea6445c6b0c4a066d42be13befb1149507c86ea6b404ccd71e7a2d5a12a1101bc9fc886c60c47beb3e4c1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_socket.pyd
MD5
281d795dcee077b9584bee76d1215491

SHA1
e4b3d62dfc026ea9fc79f8707f5064b907cc31fc

SHA256
e4314a553d10c1cbfecaca60fdd10491c44c8cc1fe577e7ec0478fab02e7de74

SHA512
f8a903a944d5fe25a7c005d0e5af84ae798f2ce21b1e0cfaf0643544947bfd8f0935888e15b2d015c9b155aa96289339d534cee540fcbbf0cdb0f75503be6879

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\_ssl.pyd
MD5
0a73996c42e200e23ed2c8666ab3e21e

SHA1
513ddf3a55f8e512b7815e82ee7e05c979ebe2cd

SHA256
5749e35f1135e86e20222c246fcccf2f80358721cd05d56988c3a036b8cb7591

SHA512
cc0bb58a0c4f4cefcdb42b3c5af4447e4784a29b6abcbf200bf70897ed49d0cb7d13516544ca43b9b0681b0828e529dd5200f1de2371be6b98299e58e901f169

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\libssl-1_1.dll
MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\python38.dll
MD5
8a6a13127f64757556080d3e4a7e45a0

SHA1
8e9a8e85cebcab07bf62033529ca5631a6d725dd

SHA256
54a34bd2efd0c3dd2ee950adf05d9344c70b0dac40311935763a3f171482a4d9

SHA512
2d4f9cbc544be4c38fccaf618806744bda5065853fa0e7f08bf359994db4bfd29d1cc8ee188ce5e7bfd0c78f7e7625f257fc05e9e736df794fb19fa9738cca16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\select.pyd
MD5
53dc8b954b1666a6b763af2987090811

SHA1
623224a6bd4e892fe4ed0efbbc48da6a0fd8f9d1

SHA256
088cee4291aa57c0745aacd33cc7761451cbc668b10507fb9ca8af7dfdc1bffa

SHA512
c9742b33fc192b7fd5aee36783fb0ee0f4715415d4dc6567807bc92cfd756e65963d342238f108facac62a73384a6d1bc19fb2094cac398dc62cab60e51780d5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6362\unicodedata.pyd
MD5
ae6ca1fd8c4755743efa6c326f6488d0

SHA1
99f17eea9329894ed83587b8e34a8f99272e1c22

SHA256
c8b48d5d323faaf49fc96eed77a623c2ed07fbe4a8efc97e04350c0031789b89

SHA512
05406fc8939b8a5aa942cb2f5d97fcb8f732a836a2f010549d39223c4244e734917b5c8de5a5507e4069879f45c928108bb8041af8900dfca4a971750e54e3ce

Download Submit
memory/1500-2-0x0000000000000000-mapping.dmp

Download