43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7

General

Target

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Size

606KB
MD5

cade845aeef6b7efa5bedaec0cfbf3dd
SHA1

f82b1f1ab56e35f73e36978d762db8c55cc8acd5
SHA256

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7
SHA512

18ae7f55e723112996dd0dd47aa26a95cefc257b6c775c3404ca9656be7a01ac8453cbf04ce7143289ec97efae89837a795d9e0ef513bfa773263543cc75df0b

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 checkip.dyndns.org
29 freegeoip.app
30 freegeoip.app

flow	ioc
27	checkip.dyndns.org
29	freegeoip.app
30	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	pid	process	target process
PID 4724 set thread context of 3352	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

pid process

3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

pid process

4724 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description pid process

Token: SeDebugPrivilege 3352 43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

pid	process
2236	schtasks.exe

pid	process
3352	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

pid	process
4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	pid	process
Token: SeDebugPrivilege	3352	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.execmd.exe43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	pid	process	target process
PID 4724 wrote to memory of 400	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	cmd.exe
PID 4724 wrote to memory of 400	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	cmd.exe
PID 4724 wrote to memory of 400	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	cmd.exe
PID 4724 wrote to memory of 3352	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
PID 4724 wrote to memory of 3352	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
PID 4724 wrote to memory of 3352	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
PID 4724 wrote to memory of 3352	4724	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
PID 400 wrote to memory of 2236	400	cmd.exe	schtasks.exe
PID 400 wrote to memory of 2236	400	cmd.exe	schtasks.exe
PID 400 wrote to memory of 2236	400	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 2372	3352	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	netsh.exe
PID 3352 wrote to memory of 2372	3352	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	netsh.exe
PID 3352 wrote to memory of 2372	3352	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

outlook_win_path 1 IoCs

Processes:

43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe

C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
"C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xml"
3⤵
- Creates scheduled task(s)
PID:2236

C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe
"C:\Users\Admin\AppData\Local\Temp\43b38b03a4d508d069883de17b26ec4d6c3100f2a283e7b54034dc92775797f7.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3352

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9aa69471a2df40a0858b2e3d548c5149.xml
MD5
09aeca55d92f28c5ad1869e858c82983

SHA1
69bab4e284b6fd0d7aa52bf46695b35fe095dd45

SHA256
abf5c1f7bdc5a6ed4a86c4d382348012f09e45d41447551edf32ca88942739d1

SHA512
44bc92a87f6fc546b970f2cd13e5c24b1e3a8a9cc08c98194d42a2a6bf882e65bd18d9848055accdce22af7caa77a4ff055e27836cbd1bba448fbf55fbb9588d

Download Submit
memory/400-134-0x0000000000000000-mapping.dmp

Download
memory/2236-137-0x0000000000000000-mapping.dmp

Download
memory/2372-142-0x0000000000000000-mapping.dmp

Download
memory/3352-135-0x0000000000000000-mapping.dmp

Download
memory/3352-139-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/3352-140-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3352-141-0x00000000050E0000-0x0000000005146000-memory.dmp

Filesize
408KB

Download
memory/3352-143-0x00000000066E0000-0x00000000068A2000-memory.dmp

Filesize
1.8MB

Download
memory/4724-136-0x00000000010FA000-0x00000000010FF000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads