1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
Size

5.8MB
MD5

e8568a0e8f1a3303655720e96d5576b9
SHA1

60b789d00d1ea678bca5d94ec6c1b9b6fac29d49
SHA256

1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5
SHA512

9588db2a91e3ea125b82fcad5f70b07998a9ce8192035c42efd5242448f9a726cb35a558d668f8b868aa7411cd8ef26d12aed39cd95c9ed53a2ad9fd45c006c4

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

pid	process
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

description pid process

Token: 35 1620 1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

description	pid	process
Token: 35	1620	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

description	pid	process	target process
PID 1552 wrote to memory of 1620	1552	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
PID 1552 wrote to memory of 1620	1552	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
PID 1552 wrote to memory of 1620	1552	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
PID 1552 wrote to memory of 1620	1552	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe	1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe

C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
"C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe
"C:\Users\Admin\AppData\Local\Temp\1591a426f899b72bae08c46cc638a11b0115982d3f7875d52af869e98ed45af5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pyd
Filesize
76KB

MD5
5dedab6e47c950a6cb82680a0d415585

SHA1
17d1781d9e5f0cc1b22ed4a81f67645cbb11ba37

SHA256
c5b60eaf4bdf8cd9f4766f77951200ba80332f76fbe462a65300e495710c99ec

SHA512
90c2bd107c8f97a3420a5b349686dd1be363ffbb14113fcd0e84bd14268bb7000e50c91c5793a999a610ec00d706e73ac81f9e21f998bc539bb20b08ace59dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pyd
Filesize
31KB

MD5
e5a58b1bc77e05be1c1808d5d9705aa5

SHA1
0026bfbb6d020b8894ff4b4630415d0b5c2e3f32

SHA256
23e4e24bc65a5ab78cbdd3081e7314fd5b9adf9ad597163716f06146198ef4db

SHA512
e43c55882afe1e7cf376aa6a79da3d8f6007c54dc4bb2279efaee721cbd78bf1f4aa578ed7f519f1a7a5584b001b58eec8f68dc98729cee9fe21c864f5e93858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pyd
Filesize
179KB

MD5
4e6aa16a3cd862f73fd112860f7c6c90

SHA1
560d2a7948f3f20850dbb5fad5b827d00ef93c87

SHA256
050435d4b43d3a193682f21720ec98037c32947367a172c908fdaad0351b8dbc

SHA512
8ee8349e22bf5265ed58a76bf62e3399eff64ad51a6e8ef113eb6e5c41bc7e8c440ef27102c5d5038e04b1056b989d20738594bdd3950cf13d4def0f8b404255

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pyd
Filesize
24KB

MD5
da018b3fd1038f675385601173081e73

SHA1
eef0d8278d6ff516769aa447b805e327601a9703

SHA256
728267523c58071d6ddbfe5892f31a27a5f17bdbfc331a6550310e4a99b4cee6

SHA512
4824e495683d36aab02decd62110dce7fd1e2e8f9ede4dc69e5616b0a59fbf9386d552a8a627e992f817220aa1cda54310ac88a9fa5200f9186ace61a2a18504

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pyd
Filesize
64KB

MD5
7821c28ad46c0f89b8414dc485a039aa

SHA1
66e99b0b401ec4740801b2a0fddf376d1b49ccc5

SHA256
a7e806b3c8ba54b8b2afd21c0c0a7a1d81eb24a307b96615cb005c0ebe833ec9

SHA512
a891574ce0fd934fde14ef0d73eebd2443225ebd4bd97dd75cec4013756a4cfcf5719e900f70c26149a3f1ffeca985c4dfe5bcc7aa344f74f16efe4ef726b605

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_sqlite3.pyd
Filesize
64KB

MD5
02d2936195ccb630a08a6b1e47beb646

SHA1
0c29cb57be0e5ab1e1c111129717c67fdeeaf17b

SHA256
be4495946a063e3862f7400a58b29f1accad288457cfb654c999cc1fc801f5e1

SHA512
d11028e540a7063a4e480d00ca13ab6f2773429959aff11d5603e9b2fe1c1f4259dc2e4c9c6d0701bb33d0832b0986bd318627eddf071e5e9b826718665a9d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pyd
Filesize
98KB

MD5
7d0c317ca387585ac223ef73be0d55fa

SHA1
15b3a8675bf73a755098027efd528c3263dfeb99

SHA256
23ba11d7c97fb805cf3449c0a0ad1cd74628a6c881fc7685af24b8d1e4a49feb

SHA512
dbcca7d884b30d3db2bd84d50481c01dda94f4ba97a56770c4093f738ed79000475c07cdb3e5f062a71d943d1fec99f744dacd6a0e0c0da2216695e3d455ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\base_library.zip
Filesize
768KB

MD5
2431b5fca844ea42a8f4533d9b0d0207

SHA1
4b0b324a7814038634c61404f314eb23f1d567d4

SHA256
6eb9881a76c79055daa4f49b1fc53929e894383b5ea05d5f3a2a2f979fb7a215

SHA512
0ffc92bf287c475bd964226717e9c223b7c52b01f3791418c52a66577e619ae2b1737ce9407975360b261bccfc73dc2b422959e2a2b44773ac3607a3e08b726d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\certifi\cacert.pem
Filesize
274KB

MD5
77eef70800962694031e78c7352738d7

SHA1
b767d89e989477beb79ba2d5b340b0b4f7ae2192

SHA256
732befe49c758070023448f619a3abb088f44e4f05992bc7478dae873be56ad8

SHA512
0b3984f7bf9d37648a26ef5d3a93e15d5c2e8a443df123121ba43ca858939346cca0d613f04f2d9aba5420b1291ef429fea84e60920220086b153aac61a20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dll
Filesize
2.1MB

MD5
67c1ea1b655dbb8989a55e146761c202

SHA1
aecc6573b0e28f59ea8fdd01191621dda6f228ed

SHA256
541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

SHA512
1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dll
Filesize
524KB

MD5
9417e0d677e0f8b08398fcd57dccbafd

SHA1
569e82788ff8206e3a43c8653d6421d456ff2a68

SHA256
db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

SHA512
b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\python37.dll
Filesize
3.3MB

MD5
7bc5ea400e1ab182b58d90aea9abc64c

SHA1
ccf483cf6205ce7e3c14827ed22baf142a736d3e

SHA256
386b543a7066ae1ceedb0951ffb5ae0de65be84b5ab71fb2b697d3fa55d6dd35

SHA512
3aa87081c6b226723eec24206f447098a40e2487b74bc7d961d96d31aa48a0e3f9c23a96acfb76b8d5809a3e3023e1b1b0b804d6f43b2bfce4e1b6ae1243238a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\select.pyd
Filesize
23KB

MD5
7c5194b55da48318baa00b3214881908

SHA1
9f1888ee668c3237555af71ce279fb2b7dbed642

SHA256
da9d93e0c5a5da7832abf0131baec07303eb1552f91d61a276d7812ca1c9fd85

SHA512
7dfb0322aa8001e0c579d74ec93d3a91128b37fdb523904a3bb6920d4c8481299bcf466e07dca814843027ff261ffc19890d396f7237e7ea4f50ea7243c0805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\sqlite3.dll
Filesize
962KB

MD5
481896508d6f253ebadbeeb14e4aea74

SHA1
f6aa12294cfaa917ef6e459e569c228d65205f1a

SHA256
0e4a5be8fd113b3ee6b739239c1f39b3fb57330018f2657484c821c3f564b672

SHA512
a608579a70587efc7948d643b987f053eda03d3ee5932886347f286780d7efa9f4895e6bb9d0e1d1590e53965d66e636c6333b53a1ec0aff8737757384cb0842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pyd
Filesize
1.0MB

MD5
1f4cc71a173e2dc83c42ff8342160213

SHA1
ba0d8dd75dde1698872a39b453f1b1b897ea3eb8

SHA256
c195ec2b1ca765530998065c9d34bb4e89732261a1ad1408a0625d46a46538d7

SHA512
637a74dfb3d58a1d59920a74524bf4eb1a65ef4643288f929bbb116dc3d6643e7e4c545730b74aebab0ee9fcd8d2c8887568a2423e59af614ac8bebe5778b3df

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dll
Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_bz2.pyd
Filesize
76KB

MD5
5dedab6e47c950a6cb82680a0d415585

SHA1
17d1781d9e5f0cc1b22ed4a81f67645cbb11ba37

SHA256
c5b60eaf4bdf8cd9f4766f77951200ba80332f76fbe462a65300e495710c99ec

SHA512
90c2bd107c8f97a3420a5b349686dd1be363ffbb14113fcd0e84bd14268bb7000e50c91c5793a999a610ec00d706e73ac81f9e21f998bc539bb20b08ace59dcd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pyd
Filesize
31KB

MD5
e5a58b1bc77e05be1c1808d5d9705aa5

SHA1
0026bfbb6d020b8894ff4b4630415d0b5c2e3f32

SHA256
23e4e24bc65a5ab78cbdd3081e7314fd5b9adf9ad597163716f06146198ef4db

SHA512
e43c55882afe1e7cf376aa6a79da3d8f6007c54dc4bb2279efaee721cbd78bf1f4aa578ed7f519f1a7a5584b001b58eec8f68dc98729cee9fe21c864f5e93858

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_lzma.pyd
Filesize
179KB

MD5
4e6aa16a3cd862f73fd112860f7c6c90

SHA1
560d2a7948f3f20850dbb5fad5b827d00ef93c87

SHA256
050435d4b43d3a193682f21720ec98037c32947367a172c908fdaad0351b8dbc

SHA512
8ee8349e22bf5265ed58a76bf62e3399eff64ad51a6e8ef113eb6e5c41bc7e8c440ef27102c5d5038e04b1056b989d20738594bdd3950cf13d4def0f8b404255

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_queue.pyd
Filesize
24KB

MD5
da018b3fd1038f675385601173081e73

SHA1
eef0d8278d6ff516769aa447b805e327601a9703

SHA256
728267523c58071d6ddbfe5892f31a27a5f17bdbfc331a6550310e4a99b4cee6

SHA512
4824e495683d36aab02decd62110dce7fd1e2e8f9ede4dc69e5616b0a59fbf9386d552a8a627e992f817220aa1cda54310ac88a9fa5200f9186ace61a2a18504

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_socket.pyd
Filesize
64KB

MD5
7821c28ad46c0f89b8414dc485a039aa

SHA1
66e99b0b401ec4740801b2a0fddf376d1b49ccc5

SHA256
a7e806b3c8ba54b8b2afd21c0c0a7a1d81eb24a307b96615cb005c0ebe833ec9

SHA512
a891574ce0fd934fde14ef0d73eebd2443225ebd4bd97dd75cec4013756a4cfcf5719e900f70c26149a3f1ffeca985c4dfe5bcc7aa344f74f16efe4ef726b605

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_sqlite3.pyd
Filesize
64KB

MD5
02d2936195ccb630a08a6b1e47beb646

SHA1
0c29cb57be0e5ab1e1c111129717c67fdeeaf17b

SHA256
be4495946a063e3862f7400a58b29f1accad288457cfb654c999cc1fc801f5e1

SHA512
d11028e540a7063a4e480d00ca13ab6f2773429959aff11d5603e9b2fe1c1f4259dc2e4c9c6d0701bb33d0832b0986bd318627eddf071e5e9b826718665a9d6e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\_ssl.pyd
Filesize
98KB

MD5
7d0c317ca387585ac223ef73be0d55fa

SHA1
15b3a8675bf73a755098027efd528c3263dfeb99

SHA256
23ba11d7c97fb805cf3449c0a0ad1cd74628a6c881fc7685af24b8d1e4a49feb

SHA512
dbcca7d884b30d3db2bd84d50481c01dda94f4ba97a56770c4093f738ed79000475c07cdb3e5f062a71d943d1fec99f744dacd6a0e0c0da2216695e3d455ea44

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\libcrypto-1_1.dll
Filesize
2.1MB

MD5
67c1ea1b655dbb8989a55e146761c202

SHA1
aecc6573b0e28f59ea8fdd01191621dda6f228ed

SHA256
541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

SHA512
1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\libssl-1_1.dll
Filesize
524KB

MD5
9417e0d677e0f8b08398fcd57dccbafd

SHA1
569e82788ff8206e3a43c8653d6421d456ff2a68

SHA256
db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

SHA512
b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\python37.dll
Filesize
3.3MB

MD5
7bc5ea400e1ab182b58d90aea9abc64c

SHA1
ccf483cf6205ce7e3c14827ed22baf142a736d3e

SHA256
386b543a7066ae1ceedb0951ffb5ae0de65be84b5ab71fb2b697d3fa55d6dd35

SHA512
3aa87081c6b226723eec24206f447098a40e2487b74bc7d961d96d31aa48a0e3f9c23a96acfb76b8d5809a3e3023e1b1b0b804d6f43b2bfce4e1b6ae1243238a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\select.pyd
Filesize
23KB

MD5
7c5194b55da48318baa00b3214881908

SHA1
9f1888ee668c3237555af71ce279fb2b7dbed642

SHA256
da9d93e0c5a5da7832abf0131baec07303eb1552f91d61a276d7812ca1c9fd85

SHA512
7dfb0322aa8001e0c579d74ec93d3a91128b37fdb523904a3bb6920d4c8481299bcf466e07dca814843027ff261ffc19890d396f7237e7ea4f50ea7243c0805e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\sqlite3.dll
Filesize
962KB

MD5
481896508d6f253ebadbeeb14e4aea74

SHA1
f6aa12294cfaa917ef6e459e569c228d65205f1a

SHA256
0e4a5be8fd113b3ee6b739239c1f39b3fb57330018f2657484c821c3f564b672

SHA512
a608579a70587efc7948d643b987f053eda03d3ee5932886347f286780d7efa9f4895e6bb9d0e1d1590e53965d66e636c6333b53a1ec0aff8737757384cb0842

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15522\unicodedata.pyd
Filesize
1.0MB

MD5
1f4cc71a173e2dc83c42ff8342160213

SHA1
ba0d8dd75dde1698872a39b453f1b1b897ea3eb8

SHA256
c195ec2b1ca765530998065c9d34bb4e89732261a1ad1408a0625d46a46538d7

SHA512
637a74dfb3d58a1d59920a74524bf4eb1a65ef4643288f929bbb116dc3d6643e7e4c545730b74aebab0ee9fcd8d2c8887568a2423e59af614ac8bebe5778b3df

Download Submit
memory/1620-54-0x0000000000000000-mapping.dmp

Download