83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d | Triage

Submit
Reports

Overview

overview

9

Static

static

83b2ee9694...1d.exe

windows7-x64

9

83b2ee9694...1d.exe

windows10-2004-x64

8

Sharing

General

Target

83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d
Size

966KB
Sample

221123-q4qr5aaf6s
MD5

f894cd4217838c01eb188e0e6c02a162
SHA1

05ff59b6ff17fdd1d8ce9c1e14346dc93a382ee1
SHA256

83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d
SHA512

da93bed4ab8cc145e4c60c69b2fc148b2dde9a221791874ff0afbcd7518cbabca90f6f0fc0df134e52f395ca3f9d12e5348f51c6f259db6ce6a1150eed48bba9
SSDEEP

24576:j7CIrr0eIp7RYDT18UJaerBvhcPILrrq2tkyzMhGGk:3CWIp7RYCxe1vKPg5kycv

Score

9^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d.exe

Resource

win7-20221111-en

collection persistence spyware stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d.exe

Resource

win10v2004-20221111-en

persistence spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d
- Size
  
  966KB
- MD5
  
  f894cd4217838c01eb188e0e6c02a162
- SHA1
  
  05ff59b6ff17fdd1d8ce9c1e14346dc93a382ee1
- SHA256
  
  83b2ee96940a6d6fc8f1ee0064cafd17abb9db05e89e1cdb4e207ca2987c2f1d
- SHA512
  
  da93bed4ab8cc145e4c60c69b2fc148b2dde9a221791874ff0afbcd7518cbabca90f6f0fc0df134e52f395ca3f9d12e5348f51c6f259db6ce6a1150eed48bba9
- SSDEEP
  
  24576:j7CIrr0eIp7RYDT18UJaerBvhcPILrrq2tkyzMhGGk:3CWIp7RYCxe1vKPg5kycv
Score

9^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

persistencespywarestealer

© 2018-2024

Terms | Privacy