55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a

General

Target

55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
Size

3.0MB
MD5

09fb8646753f7041cb0dc124b3c571cf
SHA1

d41f962c8b308802635a446d1637a1316be54da1
SHA256

55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a
SHA512

7e0bc327c63acfc77c4276b6e7cffdd6514a4512fe76ebed360c629d94511f20dd0368c6220a21c40e1bb64b53e9a86ccb971a4c38c5cdf813a431716b15a536

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

RtkBtManServ.exe

pid process

1396 RtkBtManServ.exe
Loads dropped DLL 1 IoCs

Processes:

55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe

pid process

1316 55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api64.ipify.org
6 api64.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RtkBtManServ.exe

description pid process

Token: SeDebugPrivilege 1396 RtkBtManServ.exe

pid	process
1396	RtkBtManServ.exe

pid	process
1316	55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe

flow	ioc
5	api64.ipify.org
6	api64.ipify.org

description	pid	process
Token: SeDebugPrivilege	1396	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe

description	pid	process	target process
PID 1316 wrote to memory of 1396	1316	55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe	RtkBtManServ.exe
PID 1316 wrote to memory of 1396	1316	55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe	RtkBtManServ.exe
PID 1316 wrote to memory of 1396	1316	55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe	RtkBtManServ.exe
PID 1316 wrote to memory of 1396	1316	55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe	RtkBtManServ.exe

C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe
"C:\Users\Admin\AppData\Local\Temp\55e0722ff82fa927a04cb6911c3726b78e6b892d400753d853d0ddbc7dba4b2a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4iWQts1PND+kGJ4xdmGirFtT5W3OXFMbjE8CmdHgtOm0xo8eWTYs60ZjZMZYNO9Oj+IEZX5hTZz71kfTdlEjihNmMmWELE++ykkeW58BqUkHKYnClrsLhUECbONhhqWho=
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
memory/1316-57-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1316-56-0x0000000000A90000-0x0000000000D8C000-memory.dmp

Filesize
3.0MB

Download
memory/1316-55-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1396-66-0x000000001BA20000-0x000000001BAD0000-memory.dmp

Filesize
704KB

Download
memory/1396-63-0x000000001B170000-0x000000001B4B2000-memory.dmp

Filesize
3.3MB

Download
memory/1396-64-0x0000000000820000-0x0000000000826000-memory.dmp

Filesize
24KB

Download
memory/1396-65-0x000000001AE00000-0x000000001AE02000-memory.dmp

Filesize
8KB

Download
memory/1396-62-0x00000000003D0000-0x00000000006AA000-memory.dmp

Filesize
2.9MB

Download
memory/1396-61-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1396-68-0x0000000002170000-0x00000000021A0000-memory.dmp

Filesize
192KB

Download
memory/1396-69-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1396-70-0x0000000002230000-0x000000000224A000-memory.dmp

Filesize
104KB

Download
memory/1396-71-0x00000000022D0000-0x0000000002302000-memory.dmp

Filesize
200KB

Download
memory/1396-72-0x000000001AFB0000-0x000000001B052000-memory.dmp

Filesize
648KB

Download
memory/1396-73-0x000000001A990000-0x000000001A998000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads