97e799becef44ad19659b81b1d8604ec6888304efc73bb105ed233096ad20045

Analysis

max time kernel
5s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
27-03-2021 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f56a39a0417c779c0b48fa7b2638cc58.exe
Size

753KB
MD5

f56a39a0417c779c0b48fa7b2638cc58
SHA1

351ad6d8775a69d06498dbc6953f366f6c5e11fc
SHA256

97e799becef44ad19659b81b1d8604ec6888304efc73bb105ed233096ad20045
SHA512

06a94e843792ee261facc3560009eb4fb2f3bdd4e3af77a65d27703d9a7aa2f6b0df520fe8eb3f5a4b81ee2d53a01bfc5fc9f04f93967ec6f10fadc6c4080616

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f56a39a0417c779c0b48fa7b2638cc58.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f56a39a0417c779c0b48fa7b2638cc58.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f56a39a0417c779c0b48fa7b2638cc58.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f56a39a0417c779c0b48fa7b2638cc58.exe

pid process

776 f56a39a0417c779c0b48fa7b2638cc58.exe
776 f56a39a0417c779c0b48fa7b2638cc58.exe

pid	process
776	f56a39a0417c779c0b48fa7b2638cc58.exe
776	f56a39a0417c779c0b48fa7b2638cc58.exe

C:\Users\Admin\AppData\Local\Temp\f56a39a0417c779c0b48fa7b2638cc58.exe
"C:\Users\Admin\AppData\Local\Temp\f56a39a0417c779c0b48fa7b2638cc58.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-2-0x000000007DD60000-0x000000007DE6B000-memory.dmp

Filesize
1.0MB

Download
memory/1892-3-0x000007FEF6200000-0x000007FEF647A000-memory.dmp

Filesize
2.5MB

Download