f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-08-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe
Size

180KB
MD5

6b4c224c16e852bdc7ed2001597cde9d
SHA1

70517a53551269d68b969a9328842cea2e1f975c
SHA256

f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf
SHA512

a383bc2ffbacd2f1b9b7863e8ea41ba83873edc2e2c42b74e180767e42cc2dd711109c657ab7b602492ad3962e89fb09c588efc564acae03303143b241b6dcf5
SSDEEP

3072:yscjOeJv94aM0WRtmJQd/osAyP9OHDxqTq2Mia0ZNfo+CnkuRux43v0VrO095TGn:ysVeB943AfykD67MitZt0ux4f0VrOBu8

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe

pid process

1532 f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe

pid process

1532 f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe

pid	process
1532	f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe

pid	process
1532	f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe

C:\Users\Admin\AppData\Local\Temp\f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe
"C:\Users\Admin\AppData\Local\Temp\f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\sqlite3.dll
Filesize
962KB

MD5
68fcae2f9bdb38fdfa4e7826a45a494e

SHA1
8a3c69f5d9140b07a8fcf578ce479cd4b1295003

SHA256
9dc0373e28a45187528591a3ed0eabc4c4a2a6d3eeb8e38c3f451fc11d9e5b48

SHA512
8e916967fc1995a68de2cdf878ac4c5a5c16f226d92b78ce1bb30047f9e6834886791cf7b7f03485aec5ac0d31dbba28deef2354b1b18d58fd798473f12759c7

Download Submit
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download