windealer | ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe
Size

444KB
MD5

73695fc3868f541995b3d1cc4dfc1350
SHA1

158c7382c88e10ab0208c9a3c72d5f579b614947
SHA256

ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4
SHA512

e662c2cfa651f8b080c8c0b6650a60565ba3d93130ce7c68a927454e5bef11400b495de5512bcc62d530c9243a450c9c2252f789c5b2911b2913ea163502dbfc
SSDEEP

6144:FAv4cqcUtBUmm60Lo6Dje6lNPPvKspCgOU7ApITDs4aiIjT+WhB:yrqhtBUmm6bQe6f/Ks4gj7AVuO

Score

10^/10

windealer stealer trojan

Malware Config

Signatures

Detect WinDealer information stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1388-55-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer
behavioral1/memory/1388-56-0x0000000010000000-0x000000001003B000-memory.dmp	family_windealer

WinDealer
WinDealer is an info stealer used by LuoYu group.
stealer trojan windealer

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe

pid	process
1388	ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe
1388	ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe

C:\Users\Admin\AppData\Local\Temp\ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe
"C:\Users\Admin\AppData\Local\Temp\ea4561607c00687ea82b3365de26959f1adb98b6a9ba64fa6d47a6c19f22daa4.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1388-55-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1388-56-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download