164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718

General

Target

164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe
Size

291KB
MD5

835c431d44e546ac46f899466acff0e1
SHA1

b2426fe3d7ddf38ad26d100c7cbe9db1cc9e2b70
SHA256

164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718
SHA512

c4d30704e773775fc6f8ae999a6ab5a32509dc1f4704910862db4b916a7e4cdd7080ed70cbc364719ffba69b6ba0e2911bc69fa8f9e8b1ef9e5ddaa62ed0f3e9
SSDEEP

3072:G3W+AbFKPxh4v94pRZy9uFQupoNmq3gNeJ7XRFWuBlEtRp37jSQN4RrWOFkHk:R+Ab8PxhKGpRZguszQeJ7JcJnuc

Score

10^/10

spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
s316089329.online.de
Port:
21
Username:
u57326293-test
Password:
sX9Fmdxq

Signatures

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/memory/1380-145-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral2/memory/1380-147-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral2/memory/224-157-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral2/memory/224-158-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
4508	GLNON.exe
1380	GLNON.exe
224	GLNON.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1380-138-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1380-137-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1380-139-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1380-144-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1380-145-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/1380-147-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-149-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-150-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-151-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-156-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-157-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/224-158-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 1380	4508	GLNON.exe	85
PID 4508 set thread context of 224	4508	GLNON.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	GLNON.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 4508	1884	164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe	84
PID 1884 wrote to memory of 4508	1884	164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe	84
PID 1884 wrote to memory of 4508	1884	164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe	84
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 1380	4508	GLNON.exe	85
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86
PID 4508 wrote to memory of 224	4508	GLNON.exe	86

C:\Users\Admin\AppData\Local\Temp\164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe
"C:\Users\Admin\AppData\Local\Temp\164517ae043b1e0ed0539a132001b786816361f26fc0dd1648ffd3a428c94718.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\GLNON.exe
  "C:\Users\Admin\AppData\Local\Temp\GLNON.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\GLNON.exe
    /sxml C:\Users\Admin\AppData\Roaming\ff.xml
    3⤵
    - Executes dropped EXE
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\GLNON.exe
    /sxml C:\Users\Admin\AppData\Roaming\opera.xml
    3⤵
    - Executes dropped EXE
    PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLNON.exe

Filesize
174KB

MD5
7d0ffe72b30e273a4c7839dc8bbba4a9

SHA1
1aeda1d722c9e264e5e42e942dcfae44ff6538bb

SHA256
e72d4df7868b9b38aaffd1142a8323af437ed437e4ea426936023955d9f9cc27

SHA512
9beff9decf10ad36f798354a40a4b273992fdc94ab571a99df177271b6b5653ec9212f82afc7d35343e9d00ba75d82b4d80a36b1c1c50ff080704e20e9134511

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLNON.exe

Filesize
174KB

MD5
7d0ffe72b30e273a4c7839dc8bbba4a9

SHA1
1aeda1d722c9e264e5e42e942dcfae44ff6538bb

SHA256
e72d4df7868b9b38aaffd1142a8323af437ed437e4ea426936023955d9f9cc27

SHA512
9beff9decf10ad36f798354a40a4b273992fdc94ab571a99df177271b6b5653ec9212f82afc7d35343e9d00ba75d82b4d80a36b1c1c50ff080704e20e9134511

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLNON.exe

Filesize
174KB

MD5
7d0ffe72b30e273a4c7839dc8bbba4a9

SHA1
1aeda1d722c9e264e5e42e942dcfae44ff6538bb

SHA256
e72d4df7868b9b38aaffd1142a8323af437ed437e4ea426936023955d9f9cc27

SHA512
9beff9decf10ad36f798354a40a4b273992fdc94ab571a99df177271b6b5653ec9212f82afc7d35343e9d00ba75d82b4d80a36b1c1c50ff080704e20e9134511

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLNON.exe

Filesize
174KB

MD5
7d0ffe72b30e273a4c7839dc8bbba4a9

SHA1
1aeda1d722c9e264e5e42e942dcfae44ff6538bb

SHA256
e72d4df7868b9b38aaffd1142a8323af437ed437e4ea426936023955d9f9cc27

SHA512
9beff9decf10ad36f798354a40a4b273992fdc94ab571a99df177271b6b5653ec9212f82afc7d35343e9d00ba75d82b4d80a36b1c1c50ff080704e20e9134511

Download Submit
C:\Users\Admin\AppData\Roaming\ff.xml

Filesize
156B

MD5
cf1bf0cef07982c3c40c444a6c3da7b7

SHA1
016bbd6a4e87f18acce62b66c2200680b117ed5a

SHA256
815c9cee25138f25321e3d50f1207c0b7b57527c9f331e0514b97d34bbe75f2b

SHA512
49f07b5a9d341205a09c0cfa75f7bac70405b5f088d2b690c6a755e9ed1955479d8fa45a887299184092068b9748a9dfea3a86627a5ece696cff9326cd692e07

Download Submit
C:\Users\Admin\AppData\Roaming\opera.xml

Filesize
194B

MD5
7bdf4beba3fe18b2dacd8cd93a44cd89

SHA1
5beded5450365859883f67afa395b4b5148cc168

SHA256
c03653e651c20c8316c17f59d62b31386c73052ba518283d4abfa852c1866b56

SHA512
ce68a5669e010031b87792f55a63912b1b8bf990783b070262552eeb085b9089f98d34244318d61f03b4a6db5c4b2f305e9b7c8a132538234ff5fc283e178f30

Download Submit
memory/224-158-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/224-157-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/224-156-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/224-151-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/224-150-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/224-149-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-137-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-147-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-145-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-139-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1380-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1884-136-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/1884-133-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4508-146-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4508-160-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/4508-161-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing