9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b

General

Target

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
Size

393KB
MD5

5a59e990490fcb2682313ed67eabbd76
SHA1

fe659afdfbc359195fa4fd2905d863aa48a05719
SHA256

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b
SHA512

3e436974b453898b98a14752495bea53a62962054243ecd38a199381dfedc088abba659c43ca40db7a130d6880546314a2fac867e7e830b6703244dd84e19d95
SSDEEP

12288:SK7a4rM4aDbulrp+U1hmekZ997yysjlKTU25fjtm:SK7aEHaPErh3mPaj8TU25Lg

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3768-135-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3768-137-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	WebBrowserPassView
behavioral2/memory/3768-144-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView
behavioral2/memory/3768-146-0x0000000000400000-0x000000000045C000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3768-135-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/3768-137-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe	Nirsoft
behavioral2/memory/3768-144-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft
behavioral2/memory/3768-146-0x0000000000400000-0x000000000045C000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

CODEJO~3.exe

pid process

4624 CODEJO~3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4624	CODEJO~3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description	pid	process	target process
PID 4572 set thread context of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exeCODEJO~3.exe

pid	process
4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
4624	CODEJO~3.exe
4624	CODEJO~3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description pid process

Token: SeDebugPrivilege 4572 9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

pid process

3768 9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description	pid	process
Token: SeDebugPrivilege	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

pid	process
3768	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe

description	pid	process	target process
PID 4572 wrote to memory of 3684	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3684	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3684	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 4572 wrote to memory of 3768	4572	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
PID 3768 wrote to memory of 4624	3768	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe
PID 3768 wrote to memory of 4624	3768	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe
PID 3768 wrote to memory of 4624	3768	9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe	CODEJO~3.exe

C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
"C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
2⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
C:\Users\Admin\AppData\Local\Temp\9ac48d51837d6381c5e843d0eac2e4272213d56ac83cb69d35f557f4500f3b4b.exe
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
Filesize
344KB

MD5
8d7c27f3281b6480d5e89fbca633f0a7

SHA1
69b85b63db4808213501ee91d06ad9d79ba90fb4

SHA256
5b36d92a327557c26768d6d871f227b195da512dedbdcdfea96f267f97f967ee

SHA512
c60ab992d7e05fa7e9b61f4bbfb2d538427f8f5a493532ec9bbb4667f880573eb72a9ddc0c954fb14d1964b4eb1fdc247cde423530f21f82f4e31d9c026fc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CODEJO~3.exe
Filesize
344KB

MD5
8d7c27f3281b6480d5e89fbca633f0a7

SHA1
69b85b63db4808213501ee91d06ad9d79ba90fb4

SHA256
5b36d92a327557c26768d6d871f227b195da512dedbdcdfea96f267f97f967ee

SHA512
c60ab992d7e05fa7e9b61f4bbfb2d538427f8f5a493532ec9bbb4667f880573eb72a9ddc0c954fb14d1964b4eb1fdc247cde423530f21f82f4e31d9c026fc60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.txt
Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/3684-133-0x0000000000000000-mapping.dmp

Download
memory/3768-134-0x0000000000000000-mapping.dmp

Download
memory/3768-135-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3768-137-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3768-144-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3768-146-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4572-132-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4572-140-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4624-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads