fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1

General

Target

fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
Size

1.7MB
MD5

f576f0150ef8388f277bbf2dbcd2bad3
SHA1

2f884eff4b45e9abeb7221a2a35d62372f81299d
SHA256

fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1
SHA512

906848bea7203b38fbfda1d23d1d2a58a5ce708f5bee0c3cd0146f5ede3cc9f68c0bfc985a969f2a04f91a0e56697bca8e9a38afa8a7b435828d8e31e45aa2c8
SSDEEP

24576:kyrFbYuG6e8dH3Hg6WznI0IPLT6ADYFtG4pNTpi3WR0wz0Nbo4nhE23Q:RHQMwGYFI4Dk3WRELnhEwQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kieolndefgkmjdgnpbfkpchnobhjmanm\2.0\manifest.json	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kieolndefgkmjdgnpbfkpchnobhjmanm\2.0\manifest.json	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kieolndefgkmjdgnpbfkpchnobhjmanm\2.0\manifest.json	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

Drops file in System32 directory 4 IoCs

Processes:

fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
File opened for modification	C:\Windows\System32\GroupPolicy	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

pid	process
1512	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
1512	fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe

C:\Users\Admin\AppData\Local\Temp\fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe
"C:\Users\Admin\AppData\Local\Temp\fbc5a4e6acbf83fbcc16cfc4dd1c2f1f33b9b194bab3be61d868ddbbdc1071b1.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1512

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1512-55-0x0000000000CC0000-0x0000000000D61000-memory.dmp

Filesize
644KB

Download
memory/1512-60-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-61-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-62-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-63-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-64-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-65-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-66-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-67-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-68-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-69-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-70-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-71-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-72-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-73-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-74-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-75-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-76-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-77-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download
memory/1512-78-0x0000000000332000-0x0000000000336000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads