f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7

General

Target

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Size

324KB
MD5

bda20d0177640d129ace7394841fe5c0
SHA1

3c8c531a28901ce5f3a6eb9b5ac1c353bfc73f87
SHA256

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7
SHA512

bfaedf705c5bdb3b8b4aa63b18a20e9336ee77999e3637f3677f3aa1623270e5b9dbb62bcd1d1b338979c391cb38d4b127544120804ac42e1c515b0776d02e9e

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

pid process

372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

pid	process
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

description pid process

Token: SeDebugPrivilege 372 f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

description	pid	process
Token: SeDebugPrivilege	372	f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe

C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe
"C:\Users\Admin\AppData\Local\Temp\f1e69833ed94c69e8e447ab280d677dbf3bd7df8fcc3aa1fc819fbe58703e9c7.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\10d99b49-052f-4ada-adab-4c003fc333e5\AgileDotNetRT.dll
MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
memory/372-59-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/372-62-0x0000000074D20000-0x0000000074DA0000-memory.dmp

Filesize
512KB

Download
memory/372-63-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/372-64-0x0000000004295000-0x00000000042A6000-memory.dmp

Filesize
68KB

Download
memory/372-65-0x00000000042A6000-0x00000000042A7000-memory.dmp

Filesize
4KB

Download
memory/372-66-0x00000000042A7000-0x00000000042A8000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing