Overview

overview

7

Static

static

eb20f12dd4...01.exe

windows7_x64

7

eb20f12dd4...01.exe

windows10_x64

7

Resubmissions

12-10-2021 16:28

211012-ty57eacgd8 7

12-10-2021 11:11

211012-nae3esccb9 10

Analysis

  • max time kernel
    1200s
  • max time network
    1197s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    12-10-2021 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb20f12dd433c5c9174bc138d1c44266cc3a36f59fae9ddae8c0f246943c8801.exe

  • Size

    1.2MB

  • MD5

    6e667db54814bbf9cde7c00a1f9ccaad

  • SHA1

    a2feadc2e292c60436f63cdc17a7a61ed78b9859

  • SHA256

    eb20f12dd433c5c9174bc138d1c44266cc3a36f59fae9ddae8c0f246943c8801

  • SHA512

    c77f5395a188feae436ac88d675d215d220bbd0fdd659522d99140c5add8edfa17f8447ce8f56f17ff22f51a2aac21ca393c01b8c46093c1c5080f9f4f3427ba

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb20f12dd433c5c9174bc138d1c44266cc3a36f59fae9ddae8c0f246943c8801.exe
    "C:\Users\Admin\AppData\Local\Temp\eb20f12dd433c5c9174bc138d1c44266cc3a36f59fae9ddae8c0f246943c8801.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
        PID:1648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\18270f82.dat
      MD5

      6d06c249f56d1442a1c76e47d2e68428

      SHA1

      0f03461bd655ab75da9c5cb623a27505314087b5

      SHA256

      d07942ec27adf86c4bcd07e815b598d9ce2f157a80b8e5489c9e11e5f8926a5e

      SHA512

      9abb937ca543fad416382a59c6fd08e916a6f5b3b20d0508c7b14f257764a92f9f781c3b2bf51e74b4313a2c88a0508e05caab94bbe1d535bdb42a4b92d40d7d

      Download Submit

    • memory/1500-53-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1500-54-0x0000000077740000-0x00000000778E9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1648-55-0x0000000000000000-mapping.dmp

      Download

    • memory/1648-56-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download