786337e6ac4a71724904beb2ccc5b829225d60aeece1910e98a84f22d9bc391b

Analysis

max time kernel
5s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
23-02-2021 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84554e80579f70af3ff3485f17488dc0.exe
Size

7.7MB
MD5

84554e80579f70af3ff3485f17488dc0
SHA1

90084aa1c44a728e45d3c3b5d3ad18a450f1ea1a
SHA256

786337e6ac4a71724904beb2ccc5b829225d60aeece1910e98a84f22d9bc391b
SHA512

4fd6c1fe8b725fdc4a88133815ffd44c46865177761431e38853e701ca6d89aae4c4805c3c5ec2ae20a9ba5778ba0aed1252b412cacf14e13f95e65ea0a08d04

Score

7^/10

spyware

Malware Config

Signatures

Loads dropped DLL 16 IoCs

Processes:

84554e80579f70af3ff3485f17488dc0.exe

pid	process
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe
1996	84554e80579f70af3ff3485f17488dc0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

84554e80579f70af3ff3485f17488dc0.exe

description	pid	process	target process
PID 292 wrote to memory of 1996	292	84554e80579f70af3ff3485f17488dc0.exe	84554e80579f70af3ff3485f17488dc0.exe
PID 292 wrote to memory of 1996	292	84554e80579f70af3ff3485f17488dc0.exe	84554e80579f70af3ff3485f17488dc0.exe
PID 292 wrote to memory of 1996	292	84554e80579f70af3ff3485f17488dc0.exe	84554e80579f70af3ff3485f17488dc0.exe

C:\Users\Admin\AppData\Local\Temp\84554e80579f70af3ff3485f17488dc0.exe
"C:\Users\Admin\AppData\Local\Temp\84554e80579f70af3ff3485f17488dc0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\84554e80579f70af3ff3485f17488dc0.exe
"C:\Users\Admin\AppData\Local\Temp\84554e80579f70af3ff3485f17488dc0.exe"
2⤵
- Loads dropped DLL
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI2922\DiscordNitroGenerator.exe.manifest

MD5
26448d6fd6b36205ae6489e4efc6800d

SHA1
e3ad93bf1bae40e95e856a45118f04050f10db3b

SHA256
7e74d53c9c3d146237b31eff156ce23ec1159e7e9ca494c4bc5f3cdd8b239cf4

SHA512
c40452498dc6dc6de52f4a09be255c68b731cb1153ef7efd44e9152d0bb97306e8074ff76f7a5857be5926e111addafba9db3f76f601b44d239e637a3a0e003c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\VCRUNTIME140.dll

MD5
6ba0dbcd2db8f44243799c891dbd2a59

SHA1
30a2719d4b8667fd237bcfb781660901c993d9fc

SHA256
263988a0868053b6b01835cd2959c8f71e3f943610421b269da646f2d9e3b333

SHA512
94dea85ef50d55cec0d1bbae4671386ce8ca02e870ce417abfef0a8499fdf0bd0eb5ba38debd07c213f7da39cbea63a18143484b05e9c7ca36b2f68e4520bb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_bz2.pyd

MD5
6909da62abc73216883a89a60b66e73b

SHA1
015eb36344e5f3fe2df467bd47a04bded616b052

SHA256
4c22e0d2786dd7e93f55e1f4a1c27d2e141a55682ed2c09b90320817fcf011f9

SHA512
eddabb51b6092b3c3e3b6968ea831a262f8f5f8a26b1c95badc616ca236d0928aa789334835130ec40137ffc623b5d2031a585e890162b489a26fd990845b63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_ctypes.pyd

MD5
ffde1baacbe6729ad5246068870915a4

SHA1
2d42751140fc244f19dece6b1948b2b67d36bab4

SHA256
cc839990fb1020520731c35a183c83c9dc927aa78fa6b149a92a39e9d156c8b8

SHA512
1ac3ec986c55af37eb93d35a15e8a64726e5154240c0c5aac8286f7e347c678482ec65c62b454cf237023253642335ce6b3f6c0cc084e1527e61d48aaf7752f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_hashlib.pyd

MD5
178b3a8bddd3bc0e832efe59c8045e4c

SHA1
cc3a48a2945f251c5f9ddc7011011b8563352978

SHA256
1e12f3528c9a33111fd6589b323b5e022d020b461ee65b0a97bd628d53217f2a

SHA512
e7ce152f3c0afdf00651cdb1173a32da837a00f988a285a71c16289a7acaeb80048e7650a30fe5d5604dfcb4c8199edce8d5eb9f9ff974779a542498a1bdd7ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_lzma.pyd

MD5
af8385e0cb374ae6caee59190175dd12

SHA1
a16d7d021ec3fa31fb1b2ce5929c2d3d4c96d6b8

SHA256
e414ee3efa6a4e1edf610dd780335ab9372cbe7919a73596bbb267b55ad23999

SHA512
3e4e26bbcf14ebcb4faedb8982c46b3f5318c88dd395c668c50e4f5ddbfe6c1836eb49e49e855cc95934e8247e63df0f7543f66e4fe13335558fc21c0c566b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_queue.pyd

MD5
1711e365021dae47498f552c1d000d49

SHA1
c0512da577c85c2c1b5822761baf535a7ed3dc2c

SHA256
2b4b4b0b1ea2c6ce8e33c3896e73af029962ffa1a5c7ddb2d0152991214a84b1

SHA512
065a2a94af1079f5e0cfa4807e026c9deb28cf559779e0527ed31b541814280b907094659906fc3ffd3520437c5a37bc0225937abc08b9aac18e3b5215bd5f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_socket.pyd

MD5
fc47a3b4dc7353591970a20678b90a81

SHA1
5ca5436e0c66f468bb48b5ea16c69125fcc34bea

SHA256
4e7ee0ecf839c42d96c53309384737e8f84bb5e90ecd20d511cc3fc6ec135f44

SHA512
8f52f33ce49bc38a9356d46c63aef4f8f05d491377f4969f52fd84f83712faed3d9637044d27583bf06fc52687667b630ba8d2eb8ee27f4a810520df5499b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_sqlite3.pyd

MD5
515d66f23287eeaf37215657ec2b5cc0

SHA1
9e949066922436d22d5642aa6299cdb37a21c6ac

SHA256
74fa8048922a3a723e0768e797b709f84ce3e55178152608bb829be1b57a6253

SHA512
7c72b0569ad3c9e26377310e5e88898cc60dc40533fea7e658442758511c730bf34a3cb0154e6490721099649ecb99dd93fb0378ee1d80185ec12a5bda30e343

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\_ssl.pyd

MD5
bb726a022fa65d9db794e280372dbe3e

SHA1
c48e78b37e10a713380040d16145e0ef06050e8e

SHA256
87362816a16c45095ad9ac3dc174509b2a4dd794cd17f56cac356d11c992de12

SHA512
637b78e884b55e6819e64e1b8f57f8399099165b65bf5866f8d03adb1305655b4773096b80666f88c1ff65cdd0c74ee2e0bcfb3258456ddf04c47b597f4f4287

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\base_library.zip

MD5
cb94e5b92f58e97d86bd01a9ac97900e

SHA1
bec77d594c61536761fc81708abb503709233a1a

SHA256
574a414bc908cae6ca7b0378c8c2350a0d7bcc5244bfaabe4081a940e332ebf1

SHA512
67d12420c5db33b9ec41a226a8614cd0c6a57a60df75ecfb1bc4f11623de664ebab270da07c384139968fdedd5628b46fe765870d6366665e4251c781056553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\certifi\cacert.pem

MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\libcrypto-1_1.dll

MD5
4929f390f3b9132af172d38b22bd2a2b

SHA1
19d27dc93c402801b8cb582b3aa27b17d24403d3

SHA256
4c1cbe61f562459baf382d3153b4bfc8a651bfc4ab41c99b3c8c29e19de7fde0

SHA512
2c7f3dfaba9e2844bcfddd3b05897f97ef043cc1cd5576ec0442eb26c9740c4df69a707e28bf5c6a0796e27e8de77ea430626ec822d74e054d081d32aaae7d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\libffi-7.dll

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\libssl-1_1.dll

MD5
facfcc9c58fe4238c847907689ddf485

SHA1
8382d1666627cd47855bc687615a9cc38eef7361

SHA256
d89a9009e10a2cb2d49771e694cd88f33d69cff0d3c92bc2d8e0b512e0ef9546

SHA512
f5d5f3e59438d6af1bcd22d85982107cc5eaea52c62243d11464a01f37172cb0aed343de68652882234349f1e0671b976fd5b6e77a532a9fa3cda7a0f77718c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\python38.dll

MD5
c0ed63bf515d04803906e1b703e9cb86

SHA1
61f9a465d7a782aedfd5e2b1a9dc8bff6c103b5a

SHA256
24bfc999a733d4759ca40425610555f597b1d015f87ef5f84e15c665297247a4

SHA512
78384c34cefc40cb86913dffdc6a360668467731a8a3678d5f8377d8ae63d244b45506b0b6e2498825b53abe8fd84d2b75b3e9fef3703fead90183ace433e70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\select.pyd

MD5
f4887f1d906dc336fe0c3f7dbb720ca3

SHA1
67def676ad3569029d2a357a40a138fc7570bdcc

SHA256
36552bc64127d4866c657c9b74c0399baad70957a5380896fd8202e3a6bb7b4f

SHA512
51006d164c2512adfab92d22be5fed7c093cb647821045a6cdfd2ed7a30d94e620a446b8434b3e91d5544ef737e1492f3dc6c29cadbfdfa5e41df7fb5106a301

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\sqlite3.dll

MD5
aa21b1b8d06846022de18164911ab2d8

SHA1
9091a9aec63adf8df3f820e584c8ffacf64ab8e8

SHA256
1357bab65b0362542bb99b5e1c9b2f76a644005331215b74bd723c2c81780c6e

SHA512
9c0eadf6645b1e4a266469cc32f962fecf667ee0828c21effad01fee0cc8a7f207a1b0716ab25710d0acc410cb24c0d0cd3b095bf5a25e0dc1d78ca6838c9a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2922\unicodedata.pyd

MD5
eb9d4362b715f076eac021ddf7d792af

SHA1
67cbd1023cde7d75c13c79874e37226ee477230a

SHA256
4061c7fe871fc3b90baf4b540c60c61ac613ffdfcdf61f362a5e6aaa92057b47

SHA512
71202ffe8d8564b05875e7304b4024bfcdffe18fa122580968916f20923af740648638f75a66e5c7b0539503e5a26b4cc4fcd5ef779eb445952a4a68177a6fe8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\VCRUNTIME140.dll

MD5
6ba0dbcd2db8f44243799c891dbd2a59

SHA1
30a2719d4b8667fd237bcfb781660901c993d9fc

SHA256
263988a0868053b6b01835cd2959c8f71e3f943610421b269da646f2d9e3b333

SHA512
94dea85ef50d55cec0d1bbae4671386ce8ca02e870ce417abfef0a8499fdf0bd0eb5ba38debd07c213f7da39cbea63a18143484b05e9c7ca36b2f68e4520bb4d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_bz2.pyd

MD5
6909da62abc73216883a89a60b66e73b

SHA1
015eb36344e5f3fe2df467bd47a04bded616b052

SHA256
4c22e0d2786dd7e93f55e1f4a1c27d2e141a55682ed2c09b90320817fcf011f9

SHA512
eddabb51b6092b3c3e3b6968ea831a262f8f5f8a26b1c95badc616ca236d0928aa789334835130ec40137ffc623b5d2031a585e890162b489a26fd990845b63a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_ctypes.pyd

MD5
ffde1baacbe6729ad5246068870915a4

SHA1
2d42751140fc244f19dece6b1948b2b67d36bab4

SHA256
cc839990fb1020520731c35a183c83c9dc927aa78fa6b149a92a39e9d156c8b8

SHA512
1ac3ec986c55af37eb93d35a15e8a64726e5154240c0c5aac8286f7e347c678482ec65c62b454cf237023253642335ce6b3f6c0cc084e1527e61d48aaf7752f1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_hashlib.pyd

MD5
178b3a8bddd3bc0e832efe59c8045e4c

SHA1
cc3a48a2945f251c5f9ddc7011011b8563352978

SHA256
1e12f3528c9a33111fd6589b323b5e022d020b461ee65b0a97bd628d53217f2a

SHA512
e7ce152f3c0afdf00651cdb1173a32da837a00f988a285a71c16289a7acaeb80048e7650a30fe5d5604dfcb4c8199edce8d5eb9f9ff974779a542498a1bdd7ee

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_lzma.pyd

MD5
af8385e0cb374ae6caee59190175dd12

SHA1
a16d7d021ec3fa31fb1b2ce5929c2d3d4c96d6b8

SHA256
e414ee3efa6a4e1edf610dd780335ab9372cbe7919a73596bbb267b55ad23999

SHA512
3e4e26bbcf14ebcb4faedb8982c46b3f5318c88dd395c668c50e4f5ddbfe6c1836eb49e49e855cc95934e8247e63df0f7543f66e4fe13335558fc21c0c566b5b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_queue.pyd

MD5
1711e365021dae47498f552c1d000d49

SHA1
c0512da577c85c2c1b5822761baf535a7ed3dc2c

SHA256
2b4b4b0b1ea2c6ce8e33c3896e73af029962ffa1a5c7ddb2d0152991214a84b1

SHA512
065a2a94af1079f5e0cfa4807e026c9deb28cf559779e0527ed31b541814280b907094659906fc3ffd3520437c5a37bc0225937abc08b9aac18e3b5215bd5f29

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_socket.pyd

MD5
fc47a3b4dc7353591970a20678b90a81

SHA1
5ca5436e0c66f468bb48b5ea16c69125fcc34bea

SHA256
4e7ee0ecf839c42d96c53309384737e8f84bb5e90ecd20d511cc3fc6ec135f44

SHA512
8f52f33ce49bc38a9356d46c63aef4f8f05d491377f4969f52fd84f83712faed3d9637044d27583bf06fc52687667b630ba8d2eb8ee27f4a810520df5499b725

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_sqlite3.pyd

MD5
515d66f23287eeaf37215657ec2b5cc0

SHA1
9e949066922436d22d5642aa6299cdb37a21c6ac

SHA256
74fa8048922a3a723e0768e797b709f84ce3e55178152608bb829be1b57a6253

SHA512
7c72b0569ad3c9e26377310e5e88898cc60dc40533fea7e658442758511c730bf34a3cb0154e6490721099649ecb99dd93fb0378ee1d80185ec12a5bda30e343

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\_ssl.pyd

MD5
bb726a022fa65d9db794e280372dbe3e

SHA1
c48e78b37e10a713380040d16145e0ef06050e8e

SHA256
87362816a16c45095ad9ac3dc174509b2a4dd794cd17f56cac356d11c992de12

SHA512
637b78e884b55e6819e64e1b8f57f8399099165b65bf5866f8d03adb1305655b4773096b80666f88c1ff65cdd0c74ee2e0bcfb3258456ddf04c47b597f4f4287

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\libcrypto-1_1.dll

MD5
4929f390f3b9132af172d38b22bd2a2b

SHA1
19d27dc93c402801b8cb582b3aa27b17d24403d3

SHA256
4c1cbe61f562459baf382d3153b4bfc8a651bfc4ab41c99b3c8c29e19de7fde0

SHA512
2c7f3dfaba9e2844bcfddd3b05897f97ef043cc1cd5576ec0442eb26c9740c4df69a707e28bf5c6a0796e27e8de77ea430626ec822d74e054d081d32aaae7d93

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\libffi-7.dll

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\libssl-1_1.dll

MD5
facfcc9c58fe4238c847907689ddf485

SHA1
8382d1666627cd47855bc687615a9cc38eef7361

SHA256
d89a9009e10a2cb2d49771e694cd88f33d69cff0d3c92bc2d8e0b512e0ef9546

SHA512
f5d5f3e59438d6af1bcd22d85982107cc5eaea52c62243d11464a01f37172cb0aed343de68652882234349f1e0671b976fd5b6e77a532a9fa3cda7a0f77718c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\python38.dll

MD5
c0ed63bf515d04803906e1b703e9cb86

SHA1
61f9a465d7a782aedfd5e2b1a9dc8bff6c103b5a

SHA256
24bfc999a733d4759ca40425610555f597b1d015f87ef5f84e15c665297247a4

SHA512
78384c34cefc40cb86913dffdc6a360668467731a8a3678d5f8377d8ae63d244b45506b0b6e2498825b53abe8fd84d2b75b3e9fef3703fead90183ace433e70a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\select.pyd

MD5
f4887f1d906dc336fe0c3f7dbb720ca3

SHA1
67def676ad3569029d2a357a40a138fc7570bdcc

SHA256
36552bc64127d4866c657c9b74c0399baad70957a5380896fd8202e3a6bb7b4f

SHA512
51006d164c2512adfab92d22be5fed7c093cb647821045a6cdfd2ed7a30d94e620a446b8434b3e91d5544ef737e1492f3dc6c29cadbfdfa5e41df7fb5106a301

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\sqlite3.dll

MD5
aa21b1b8d06846022de18164911ab2d8

SHA1
9091a9aec63adf8df3f820e584c8ffacf64ab8e8

SHA256
1357bab65b0362542bb99b5e1c9b2f76a644005331215b74bd723c2c81780c6e

SHA512
9c0eadf6645b1e4a266469cc32f962fecf667ee0828c21effad01fee0cc8a7f207a1b0716ab25710d0acc410cb24c0d0cd3b095bf5a25e0dc1d78ca6838c9a76

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2922\unicodedata.pyd

MD5
eb9d4362b715f076eac021ddf7d792af

SHA1
67cbd1023cde7d75c13c79874e37226ee477230a

SHA256
4061c7fe871fc3b90baf4b540c60c61ac613ffdfcdf61f362a5e6aaa92057b47

SHA512
71202ffe8d8564b05875e7304b4024bfcdffe18fa122580968916f20923af740648638f75a66e5c7b0539503e5a26b4cc4fcd5ef779eb445952a4a68177a6fe8

Download Submit
memory/1996-2-0x0000000000000000-mapping.dmp

Download