0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706

Analysis

max time kernel
158s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-05-2022 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
Size

9.4MB
MD5

f8eee8ea0e3bb80c9f73c9ca0dca5b06
SHA1

f79053377abf6224737840ed06787510ef3944dd
SHA256

0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706
SHA512

cdc4c37fed2a0b1c8fcfc01ee5152558639a4d6d7d0ee0c9504e1dc2040ac9c2512e9e9f79b0e1353a2abc9e4a1e4281a068a50c21d2795caf00f866b341fea6

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe

pid	process
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
2676	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
39 api.ipify.org

flow	ioc
26	api.ipify.org
39	api.ipify.org

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe

description	pid	process	target process
PID 2240 wrote to memory of 2676	2240	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
PID 2240 wrote to memory of 2676	2240	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe	0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe

C:\Users\Admin\AppData\Local\Temp\0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
"C:\Users\Admin\AppData\Local\Temp\0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe
"C:\Users\Admin\AppData\Local\Temp\0ba84c861f272847794a2bc7fc23bd169a6be5981d6e5fa9bf5b344d8e6c9706.exe"
2⤵
- Loads dropped DLL
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22402\VCRUNTIME140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\VCRUNTIME140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_bz2.pyd
Filesize
83KB

MD5
067a29728d7b070d6486d56d26a5d0bf

SHA1
99c9235899cffc59decd3ef692b134fe11b874c2

SHA256
46460b60fe6dc7873b03ede10bb9abf51f1eec45db6a118c0982136e8dd1929a

SHA512
2d784b426920e4bafc81134bfe76c3a4761252734cbc0709285cf6107cd98f427c235addeab7c55e30c16757d1997dfc6606d96781cf3e07c1b367f14eedf02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_bz2.pyd
Filesize
83KB

MD5
067a29728d7b070d6486d56d26a5d0bf

SHA1
99c9235899cffc59decd3ef692b134fe11b874c2

SHA256
46460b60fe6dc7873b03ede10bb9abf51f1eec45db6a118c0982136e8dd1929a

SHA512
2d784b426920e4bafc81134bfe76c3a4761252734cbc0709285cf6107cd98f427c235addeab7c55e30c16757d1997dfc6606d96781cf3e07c1b367f14eedf02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_ctypes.pyd
Filesize
122KB

MD5
e5656b2f44cb02347289559f1f9d4388

SHA1
8490dc82af7679bdbac67bd0af93b021dfbba0e0

SHA256
96556b3959d63970ebc2703ca1648fc1a0da62358bb773ce82d418412316432e

SHA512
65a194b3797ec26d8b5ee1be194087d5dde3c2ab44ac2154d983ef66ebedf3665690f6d88f0f07d183d702ca51c7a728b974a46dde99051560acea9de9fb15ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_ctypes.pyd
Filesize
122KB

MD5
e5656b2f44cb02347289559f1f9d4388

SHA1
8490dc82af7679bdbac67bd0af93b021dfbba0e0

SHA256
96556b3959d63970ebc2703ca1648fc1a0da62358bb773ce82d418412316432e

SHA512
65a194b3797ec26d8b5ee1be194087d5dde3c2ab44ac2154d983ef66ebedf3665690f6d88f0f07d183d702ca51c7a728b974a46dde99051560acea9de9fb15ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_hashlib.pyd
Filesize
63KB

MD5
df4e08de7a365f5c8b95608889b1fa91

SHA1
c5d0249ce9844551287cb240c78b88f4aa5fa720

SHA256
c689c919aa5a66d06174db6a4f53dc2ceaf064ab2fe7ef2c22f32ecd214200ea

SHA512
5aff1af0fa57fcc77292b97a0b3d4a1453e69ad09fcd8a11660df98865e0dff55c0e345fd0f37c8fc8c9895aa6ca3da6b19781b8f13ec8988620dfae90aed1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_hashlib.pyd
Filesize
63KB

MD5
df4e08de7a365f5c8b95608889b1fa91

SHA1
c5d0249ce9844551287cb240c78b88f4aa5fa720

SHA256
c689c919aa5a66d06174db6a4f53dc2ceaf064ab2fe7ef2c22f32ecd214200ea

SHA512
5aff1af0fa57fcc77292b97a0b3d4a1453e69ad09fcd8a11660df98865e0dff55c0e345fd0f37c8fc8c9895aa6ca3da6b19781b8f13ec8988620dfae90aed1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_lzma.pyd
Filesize
157KB

MD5
c60e0eb3bd50f207a3b4a5e0c547f10f

SHA1
a481987548fedec6e932131c62a35179f7f7f7fa

SHA256
82bc62adcfd800c58e7f5724ca3c651b955dbaeca3fae26be143233fd5e4acd5

SHA512
ddfe01b7e9eedd853a61054f2aa2a2aacdfc1c6a86559f56dd2b2aede5fa1471d19243edda6010ea4472eeb85e904d6d1dc22edd950be79794173925c769e21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_lzma.pyd
Filesize
157KB

MD5
c60e0eb3bd50f207a3b4a5e0c547f10f

SHA1
a481987548fedec6e932131c62a35179f7f7f7fa

SHA256
82bc62adcfd800c58e7f5724ca3c651b955dbaeca3fae26be143233fd5e4acd5

SHA512
ddfe01b7e9eedd853a61054f2aa2a2aacdfc1c6a86559f56dd2b2aede5fa1471d19243edda6010ea4472eeb85e904d6d1dc22edd950be79794173925c769e21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_socket.pyd
Filesize
77KB

MD5
702a3329775f6d7ef901803f0860149a

SHA1
1a3b852914a1c4a5569200a14d432b24db1ffc80

SHA256
f05afcbd1a6241d6a94500826603511659d5e66abc2a386480b4bc50aed99245

SHA512
27ea2931f78d73cfbb9471268cc7f06dbf6b024215c8815fa0389a30562c3d7fbe5561c73a894775c1197ea6ca061732ea45954a6c861c03288afbd7e0036ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_socket.pyd
Filesize
77KB

MD5
702a3329775f6d7ef901803f0860149a

SHA1
1a3b852914a1c4a5569200a14d432b24db1ffc80

SHA256
f05afcbd1a6241d6a94500826603511659d5e66abc2a386480b4bc50aed99245

SHA512
27ea2931f78d73cfbb9471268cc7f06dbf6b024215c8815fa0389a30562c3d7fbe5561c73a894775c1197ea6ca061732ea45954a6c861c03288afbd7e0036ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_ssl.pyd
Filesize
149KB

MD5
27f6ce4374f301cc42a88464b248ccba

SHA1
6086c38b424ec54fdff0ff9338a88735ab28cca7

SHA256
cdc9739b76e020c0550c3f9f06cd804d6bb6759ca59179242d79fdac30f99f6b

SHA512
7fbfd3d805c2dccbcbbc3bb3edfa5bb33a7d25c51ed28f22b90efeedb99434668e29de66e93d95df16f96202821e62d056a81687b67941a5d26432a9abede6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\_ssl.pyd
Filesize
149KB

MD5
27f6ce4374f301cc42a88464b248ccba

SHA1
6086c38b424ec54fdff0ff9338a88735ab28cca7

SHA256
cdc9739b76e020c0550c3f9f06cd804d6bb6759ca59179242d79fdac30f99f6b

SHA512
7fbfd3d805c2dccbcbbc3bb3edfa5bb33a7d25c51ed28f22b90efeedb99434668e29de66e93d95df16f96202821e62d056a81687b67941a5d26432a9abede6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\base_library.zip
Filesize
767KB

MD5
69f4a5a914fed2e05d93035aa21a5b5e

SHA1
1acf8491dacc93b2a379e9d82f9bcd0fcf14a3ab

SHA256
72e832045698e9d1d2761749f4973ad93c8a810be27467e1b9f62ad9592038d0

SHA512
1755e92714035f79a086766f4715ab6d67436bece2dc2aaaafde4dc475a242389334e3fedf3e1bd9c09848a821a089af2157a5d504d086ea7409bc1dc594753d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libcrypto-1_1.dll
Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libcrypto-1_1.dll
Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libssl-1_1.dll
Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\libssl-1_1.dll
Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\python39.dll
Filesize
4.3MB

MD5
13aa61cb47495239ce52671385c41a00

SHA1
5ef559a30335b4de9cfa0054c53767c406f0a78f

SHA256
713246bc3c0b2ffb7e7b285654e10b63b5f48ccab031275cf7edaf0276c73de8

SHA512
ff847ac7fa85b72d9f6f796c7406069173d9ed60d84e18cefd8d9b956f87bab901953891e90b93679d68b5740917da194b448e24738d1a9ab2cda02b2d1333cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\python39.dll
Filesize
4.3MB

MD5
13aa61cb47495239ce52671385c41a00

SHA1
5ef559a30335b4de9cfa0054c53767c406f0a78f

SHA256
713246bc3c0b2ffb7e7b285654e10b63b5f48ccab031275cf7edaf0276c73de8

SHA512
ff847ac7fa85b72d9f6f796c7406069173d9ed60d84e18cefd8d9b956f87bab901953891e90b93679d68b5740917da194b448e24738d1a9ab2cda02b2d1333cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\select.pyd
Filesize
26KB

MD5
c0accd8e496463786b606b9b187f4e6b

SHA1
b1197e7dc19667ec6b7189db4836a5683ef978d7

SHA256
46f6086962ab5d4cb627d3d31d085e53188b4cc390253e8d3b34c327a377db5f

SHA512
4d8727e12a830a8950ce52e30c61e09e782653d98f5ced56d9fd47fc74514a4dff1848c12484d0df8d5d44bede27ae7086b6539993713bff76c93464a6d8f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\select.pyd
Filesize
26KB

MD5
c0accd8e496463786b606b9b187f4e6b

SHA1
b1197e7dc19667ec6b7189db4836a5683ef978d7

SHA256
46f6086962ab5d4cb627d3d31d085e53188b4cc390253e8d3b34c327a377db5f

SHA512
4d8727e12a830a8950ce52e30c61e09e782653d98f5ced56d9fd47fc74514a4dff1848c12484d0df8d5d44bede27ae7086b6539993713bff76c93464a6d8f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\token_grabber.exe.manifest
Filesize
1KB

MD5
658926a076c4b4d1c0291a8ebf6556f6

SHA1
bcfb8ae685f5ab0359941f07dc2551d403818f34

SHA256
39cbf2c23558b456cd011507b2f0780463d41b6a7502cc24940b12350009c4c5

SHA512
d7e83670a0c5d6e0e75ac07b270772b7572b88fe8cee9a20f3c241ebafa9574bf789f267ead92fa216fca75b8bd6e736e5ddd27dbd088a1a0370d5084d865fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\unicodedata.pyd
Filesize
1.1MB

MD5
9f49f221fdddda78858a3563507dc5cf

SHA1
92c4572e880362e4d1bb14eef032bd18c9e67b7c

SHA256
28bd2a08b3b72ee208f04db87b974e974d39aabb9cfa3d8cb8e161e84cf146af

SHA512
e41c2d9562681f0e2eabe55600f592d93615acb2b882e957d3be666d6eb45bc4a5001549c15e26a287c4e4e7db82818d1e0792d4829f28ad39ad72ba87e624b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\unicodedata.pyd
Filesize
1.1MB

MD5
9f49f221fdddda78858a3563507dc5cf

SHA1
92c4572e880362e4d1bb14eef032bd18c9e67b7c

SHA256
28bd2a08b3b72ee208f04db87b974e974d39aabb9cfa3d8cb8e161e84cf146af

SHA512
e41c2d9562681f0e2eabe55600f592d93615acb2b882e957d3be666d6eb45bc4a5001549c15e26a287c4e4e7db82818d1e0792d4829f28ad39ad72ba87e624b9

Download Submit
memory/2676-130-0x0000000000000000-mapping.dmp

Download