8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
Size

5.6MB
MD5

eaadf4d32da3039aaeed37f934c43d76
SHA1

e04a92fb674553ea968f16cbe46a87bd34aea693
SHA256

8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7
SHA512

d3de8a8b77653b02de26bda0c0fff65c53734810745c38fa475da7612d147285263ffcedc7e0bd8c166d0885919a11025fd9845de4669985df2614d79ad91aa3

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

pid	process
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

description pid process

Token: 35 1528 8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

description	pid	process
Token: 35	1528	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

description	pid	process	target process
PID 884 wrote to memory of 1528	884	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
PID 884 wrote to memory of 1528	884	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
PID 884 wrote to memory of 1528	884	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
PID 884 wrote to memory of 1528	884	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe	8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe

C:\Users\Admin\AppData\Local\Temp\8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
"C:\Users\Admin\AppData\Local\Temp\8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe
"C:\Users\Admin\AppData\Local\Temp\8c41da324aa2605f0c6de1d4c902830e258d9d1e7a611c860b0327466a23e7d7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8842\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_bz2.pyd
Filesize
71KB

MD5
2dd25ac2510c5640169d89ee220e748e

SHA1
38fd561088e61e4dbb97a026bfee8fbf6533250e

SHA256
f5086031019c5e03afcfee227c4d30e82b68c24f5a5871640c3e8682852d9a54

SHA512
e4fab2e20031dec366c113fe10ff81d759a2a1837cd1ee2598bb6c1107cb16a6db13501b69e80ee08e61005020b557221f858b690e2a3bab13a94fb04f87ef62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_hashlib.pyd
Filesize
31KB

MD5
d7fb745382c6356cb58a865b7868a87f

SHA1
c05940c7e57e7e1c8e031d1644cd91f507adf5e1

SHA256
a5ced194f4a143e6f517c22e6a1edbabca0d875243845bc57a87c2d70c07f23d

SHA512
1a19293c041811a72dbc88807aaa6a396600732f716ccbb2d976850c01f69d1ddeb5101e56c9b92fbb02496481e9da3fcc47af96bf8e9102477f9f28386f94c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_lzma.pyd
Filesize
180KB

MD5
3f9883975873f598093f33164be01fbc

SHA1
851b304266d19ec89193ade145e7aa7094cb9217

SHA256
1afb4acf310dc86ab032cf27fb59c468ca7e65448b899dc31d5a53317d5bc831

SHA512
a0613ed7bbab49a8da297d4947d5595c0637df1186834e19db8bc800d2f01bc1f8531e20921093778e1006edcf6705d9e49751106552520c0dd001c66a5dfc6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_queue.pyd
Filesize
23KB

MD5
4f38eb31e85412b5bb3cc955f7a83cfb

SHA1
5752194a2987b795636e708bae7d436e064790ec

SHA256
326f00f00dabf86b33325b8f6344a141aefb2a56ba5c173d2efe175efa72058b

SHA512
814f7904ec79ca03750fc57b64329c8ef4c3fe3648f65b63ec103b21a07278f038e8b786559085b612abd442d67493681e3bf8f6a6ab18c2b112b67a9e327f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_socket.pyd
Filesize
65KB

MD5
86d72934a494121978ef74c8b8aca5a4

SHA1
3c15697eee23365722f79d70710ac0a1ba5de6e1

SHA256
24657ecfde063412c941aaa6a085341d45ecf4c0153b37b7476459835ccb3cbb

SHA512
b7e720d4801690b6c610726046070b8a761113c30a14d6c54205f3ea5ae273494fa28b1fe57c33e196b71d7b2c1be28a3acbf5a3337cad0e9e4216918d8487e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_sqlite3.pyd
Filesize
65KB

MD5
1a773c31e455ce212f82f1a6b1b207b6

SHA1
b82fc8bdef8938046330aabad6bab6c11fe1ffaf

SHA256
410e4ec337622b8b39f261d1d79268c20a51e420df9536b14511007b5bb16fb6

SHA512
fe2537f35789228db25fa54c8f86e109143e75a0e176b3a793f4aea13c75894a658098de6b62304efd3eef5762fc1ce6fdbe5a5377bbbe4ca1c4ace2d911790f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ssl.pyd
Filesize
101KB

MD5
6e8d415d50d8292dbfb479447ac09c27

SHA1
cb2154d70a5cb9a875309e0860b82a825c6416f0

SHA256
5b616af730aa15a75558afa50e725c7d4d4e5b22bbffd348df2239425cfeadd0

SHA512
a8196e2536a3c733b59fa11da10f85eda0d2c50deb246d895fccbcb7f8e33c7aa11928ce8264eabaf0e9c761f5b11c7e65cb4ec503c0338c90e1d7180f7c0bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\base_library.zip
Filesize
768KB

MD5
a3d49b3140d18970e5012b20426a4410

SHA1
3caca550cf8cb81eaee108eb91804485f16a17f0

SHA256
33d958cb81d424d36087f3a1c7eec466f0391db6bf983098e951ca55bdadb1ba

SHA512
5523cea34e46591770235648beb9a4333faccf0ee34170cfb5826bb4beaa4ba755062c267dd0aeac25f718e6a97dc8ec39fe652af20a9132dc5bd8060562fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\certifi\cacert.pem
Filesize
274KB

MD5
77eef70800962694031e78c7352738d7

SHA1
b767d89e989477beb79ba2d5b340b0b4f7ae2192

SHA256
732befe49c758070023448f619a3abb088f44e4f05992bc7478dae873be56ad8

SHA512
0b3984f7bf9d37648a26ef5d3a93e15d5c2e8a443df123121ba43ca858939346cca0d613f04f2d9aba5420b1291ef429fea84e60920220086b153aac61a20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libcrypto-1_1.dll
Filesize
1.8MB

MD5
25c4ebe7eb728eb40f9f9857849abad9

SHA1
d907b46d6b5924a4d887438583145b8d2edda10c

SHA256
ee585c57129d29c67d1f038ca35113ce34319bff1e8e163588e394dd096cd04a

SHA512
9f43ac67d873d28415ce4bb6d5823f361c31a018e3a4d56f191f9c2503ea0e41a8c3b7ca7860bd1abc013e3827ec2d47d9577ddbc128e10a1c2ac78615f7c8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libssl-1_1.dll
Filesize
396KB

MD5
a11c90defa3969b20b8730450447636c

SHA1
05ec6e2fae9ad1d8446341f0e87d2d0fd7398bf0

SHA256
5b24d33ef69546a929b021738018c55ee6cea62b3ddd8d69a78dcad4dc5c6255

SHA512
d1d1469ed7280b66f9fbd1fae9d1bdc91be8b7a7f2340a4e6163da33f0a4a13043b6f4f5c6eb30bdc164991c16bcec0872e66c9843cc38ddc982e49c41e8cc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\python37.dll
Filesize
3.4MB

MD5
c66cff63d88f6e9dd4d8e12263a928b5

SHA1
95c617965db8d8ddb76c2775a2441d1609605162

SHA256
1d70473101f95a42764c8430548645b0a9786bac0fe08367f593416c9b791718

SHA512
993001dcf9448dedf49fea89a76294364501dd09eac88184511e6ebab997119ac94e3e9d596d02571174f5a04b1d4ec6888f494eb0810e28bdb674867695005b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\select.pyd
Filesize
22KB

MD5
91ce806fb378ca8e5752aefeb5775da8

SHA1
5d18e0120b181f56562c228a360283fed1071d1f

SHA256
715b9028dbd2faef7a084b8919086fe258b5069f295655deae5dff95f6cb23f6

SHA512
ef557947653936f1dc9e68730d7edba420a2b7011c85fa55446c31f60e1af3732aa312fee91d72c39223d008d0231047d55d77e649ed1e6a09de663b78246fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\sqlite3.dll
Filesize
902KB

MD5
0bbbe34067f3dcd0156c42b77636656e

SHA1
50f3d2a07c18e08d21b0e6da1c66a6713b924f06

SHA256
0dac83db9da4b8dca67103dce064b30b3d1b713575833534698432793dcb22cd

SHA512
59bec267f315d04e0edea591ce4670ec7e70acb6b6215d69f18c95d67f6aaf13de32f37febb15bbc45202d4e511cf1cdc44c28176d0b9a1318cbee53ba6f0b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8842\unicodedata.pyd
Filesize
1.0MB

MD5
c184941d097bf03782cc74b785e6dada

SHA1
c4ca2607047ef69e0cff516d38c4147087f45b02

SHA256
95c2e7b6bb25a0beb8a5c0376ceed33098d9991cda0414f844f5b9b506167891

SHA512
1c284dbff3ddfc76af8a649d237f90e87a9ecd7e36783626ebff7fca1cf1532b6b455372445b29352bc12df23a2e095f994f0ca454877f9ea38558875c314137

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_bz2.pyd
Filesize
71KB

MD5
2dd25ac2510c5640169d89ee220e748e

SHA1
38fd561088e61e4dbb97a026bfee8fbf6533250e

SHA256
f5086031019c5e03afcfee227c4d30e82b68c24f5a5871640c3e8682852d9a54

SHA512
e4fab2e20031dec366c113fe10ff81d759a2a1837cd1ee2598bb6c1107cb16a6db13501b69e80ee08e61005020b557221f858b690e2a3bab13a94fb04f87ef62

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_hashlib.pyd
Filesize
31KB

MD5
d7fb745382c6356cb58a865b7868a87f

SHA1
c05940c7e57e7e1c8e031d1644cd91f507adf5e1

SHA256
a5ced194f4a143e6f517c22e6a1edbabca0d875243845bc57a87c2d70c07f23d

SHA512
1a19293c041811a72dbc88807aaa6a396600732f716ccbb2d976850c01f69d1ddeb5101e56c9b92fbb02496481e9da3fcc47af96bf8e9102477f9f28386f94c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_lzma.pyd
Filesize
180KB

MD5
3f9883975873f598093f33164be01fbc

SHA1
851b304266d19ec89193ade145e7aa7094cb9217

SHA256
1afb4acf310dc86ab032cf27fb59c468ca7e65448b899dc31d5a53317d5bc831

SHA512
a0613ed7bbab49a8da297d4947d5595c0637df1186834e19db8bc800d2f01bc1f8531e20921093778e1006edcf6705d9e49751106552520c0dd001c66a5dfc6c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_queue.pyd
Filesize
23KB

MD5
4f38eb31e85412b5bb3cc955f7a83cfb

SHA1
5752194a2987b795636e708bae7d436e064790ec

SHA256
326f00f00dabf86b33325b8f6344a141aefb2a56ba5c173d2efe175efa72058b

SHA512
814f7904ec79ca03750fc57b64329c8ef4c3fe3648f65b63ec103b21a07278f038e8b786559085b612abd442d67493681e3bf8f6a6ab18c2b112b67a9e327f37

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_socket.pyd
Filesize
65KB

MD5
86d72934a494121978ef74c8b8aca5a4

SHA1
3c15697eee23365722f79d70710ac0a1ba5de6e1

SHA256
24657ecfde063412c941aaa6a085341d45ecf4c0153b37b7476459835ccb3cbb

SHA512
b7e720d4801690b6c610726046070b8a761113c30a14d6c54205f3ea5ae273494fa28b1fe57c33e196b71d7b2c1be28a3acbf5a3337cad0e9e4216918d8487e7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_sqlite3.pyd
Filesize
65KB

MD5
1a773c31e455ce212f82f1a6b1b207b6

SHA1
b82fc8bdef8938046330aabad6bab6c11fe1ffaf

SHA256
410e4ec337622b8b39f261d1d79268c20a51e420df9536b14511007b5bb16fb6

SHA512
fe2537f35789228db25fa54c8f86e109143e75a0e176b3a793f4aea13c75894a658098de6b62304efd3eef5762fc1ce6fdbe5a5377bbbe4ca1c4ace2d911790f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\_ssl.pyd
Filesize
101KB

MD5
6e8d415d50d8292dbfb479447ac09c27

SHA1
cb2154d70a5cb9a875309e0860b82a825c6416f0

SHA256
5b616af730aa15a75558afa50e725c7d4d4e5b22bbffd348df2239425cfeadd0

SHA512
a8196e2536a3c733b59fa11da10f85eda0d2c50deb246d895fccbcb7f8e33c7aa11928ce8264eabaf0e9c761f5b11c7e65cb4ec503c0338c90e1d7180f7c0bac

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\libcrypto-1_1.dll
Filesize
1.8MB

MD5
25c4ebe7eb728eb40f9f9857849abad9

SHA1
d907b46d6b5924a4d887438583145b8d2edda10c

SHA256
ee585c57129d29c67d1f038ca35113ce34319bff1e8e163588e394dd096cd04a

SHA512
9f43ac67d873d28415ce4bb6d5823f361c31a018e3a4d56f191f9c2503ea0e41a8c3b7ca7860bd1abc013e3827ec2d47d9577ddbc128e10a1c2ac78615f7c8a9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\libssl-1_1.dll
Filesize
396KB

MD5
a11c90defa3969b20b8730450447636c

SHA1
05ec6e2fae9ad1d8446341f0e87d2d0fd7398bf0

SHA256
5b24d33ef69546a929b021738018c55ee6cea62b3ddd8d69a78dcad4dc5c6255

SHA512
d1d1469ed7280b66f9fbd1fae9d1bdc91be8b7a7f2340a4e6163da33f0a4a13043b6f4f5c6eb30bdc164991c16bcec0872e66c9843cc38ddc982e49c41e8cc3b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\python37.dll
Filesize
3.4MB

MD5
c66cff63d88f6e9dd4d8e12263a928b5

SHA1
95c617965db8d8ddb76c2775a2441d1609605162

SHA256
1d70473101f95a42764c8430548645b0a9786bac0fe08367f593416c9b791718

SHA512
993001dcf9448dedf49fea89a76294364501dd09eac88184511e6ebab997119ac94e3e9d596d02571174f5a04b1d4ec6888f494eb0810e28bdb674867695005b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\select.pyd
Filesize
22KB

MD5
91ce806fb378ca8e5752aefeb5775da8

SHA1
5d18e0120b181f56562c228a360283fed1071d1f

SHA256
715b9028dbd2faef7a084b8919086fe258b5069f295655deae5dff95f6cb23f6

SHA512
ef557947653936f1dc9e68730d7edba420a2b7011c85fa55446c31f60e1af3732aa312fee91d72c39223d008d0231047d55d77e649ed1e6a09de663b78246fd7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\sqlite3.dll
Filesize
902KB

MD5
0bbbe34067f3dcd0156c42b77636656e

SHA1
50f3d2a07c18e08d21b0e6da1c66a6713b924f06

SHA256
0dac83db9da4b8dca67103dce064b30b3d1b713575833534698432793dcb22cd

SHA512
59bec267f315d04e0edea591ce4670ec7e70acb6b6215d69f18c95d67f6aaf13de32f37febb15bbc45202d4e511cf1cdc44c28176d0b9a1318cbee53ba6f0b20

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8842\unicodedata.pyd
Filesize
1.0MB

MD5
c184941d097bf03782cc74b785e6dada

SHA1
c4ca2607047ef69e0cff516d38c4147087f45b02

SHA256
95c2e7b6bb25a0beb8a5c0376ceed33098d9991cda0414f844f5b9b506167891

SHA512
1c284dbff3ddfc76af8a649d237f90e87a9ecd7e36783626ebff7fca1cf1532b6b455372445b29352bc12df23a2e095f994f0ca454877f9ea38558875c314137

Download Submit
memory/1528-54-0x0000000000000000-mapping.dmp

Download