9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b

General

Target

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
Size

393KB
MD5

5a59e990490fcb2682313ed67eabbd76
SHA1

fe659afdfbc359195fa4fd2905d863aa48a05719
SHA256

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b
SHA512

3e436974b453898b98a14752495bea53a62962054243ecd38a199381dfedc088abba659c43ca40db7a130d6880546314a2fac867e7e830b6703244dd84e19d95
SSDEEP

12288:SK7a4rM4aDbulrp+U1hmekZ997yysjlKTU25fjtm:SK7aEHaPErh3mPaj8TU25Lg

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 7 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1560-60-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-61-0x0000000000401100-mapping.dmp	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	WebBrowserPassView
behavioral1/memory/1560-72-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral1/memory/1560-75-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1560-60-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1560-61-0x0000000000401100-mapping.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	Nirsoft
behavioral1/memory/1560-72-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral1/memory/1560-75-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

CODEJO~3.exe

pid process

1228 CODEJO~3.exe

pid	process
1228	CODEJO~3.exe

Loads dropped DLL 2 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

pid	process
1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description	pid	process	target process
PID 1120 set thread context of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

pid process

1560 9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description	pid	process	target process
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1120 wrote to memory of 1560	1120	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 1560 wrote to memory of 1228	1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe
PID 1560 wrote to memory of 1228	1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe
PID 1560 wrote to memory of 1228	1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe
PID 1560 wrote to memory of 1228	1560	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe

C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
"C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
Filesize
344KB

MD5
8d7c27f3281b6480d5e89fbca633f0a7

SHA1
69b85b63db4808213501ee91d06ad9d79ba90fb4

SHA256
5b36d92a327557c26768d6d871f227b195da512dedbdcdfea96f267f97f967ee

SHA512
c60ab992d7e05fa7e9b61f4bbfb2d538427f8f5a493532ec9bbb4667f880573eb72a9ddc0c954fb14d1964b4eb1fdc247cde423530f21f82f4e31d9c026fc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
Filesize
344KB

MD5
8d7c27f3281b6480d5e89fbca633f0a7

SHA1
69b85b63db4808213501ee91d06ad9d79ba90fb4

SHA256
5b36d92a327557c26768d6d871f227b195da512dedbdcdfea96f267f97f967ee

SHA512
c60ab992d7e05fa7e9b61f4bbfb2d538427f8f5a493532ec9bbb4667f880573eb72a9ddc0c954fb14d1964b4eb1fdc247cde423530f21f82f4e31d9c026fc60e

Download Submit
\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
Filesize
344KB

MD5
8d7c27f3281b6480d5e89fbca633f0a7

SHA1
69b85b63db4808213501ee91d06ad9d79ba90fb4

SHA256
5b36d92a327557c26768d6d871f227b195da512dedbdcdfea96f267f97f967ee

SHA512
c60ab992d7e05fa7e9b61f4bbfb2d538427f8f5a493532ec9bbb4667f880573eb72a9ddc0c954fb14d1964b4eb1fdc247cde423530f21f82f4e31d9c026fc60e

Download Submit
memory/1120-76-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-65-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-69-0x0000000000000000-mapping.dmp

Download
memory/1560-61-0x0000000000401100-mapping.dmp

Download
memory/1560-60-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1560-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1560-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1560-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1560-75-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1560-55-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads