27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a

General

Target

27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe
Size

884KB
MD5

9129275edf49cff83327c10120a17d7d
SHA1

341d26a56440f86ab4151b7e8f64abab6abb9e0f
SHA256

27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a
SHA512

a07edbde06a0389b68b96fda94244ed6e911efaca98f8e7f1425e0a5538d2124a361dfd4e2d245edd837759665e7c2e1420b97aba1c9858a12c40e16fb518f18
SSDEEP

24576:bQUQNSnYKZvrfEkOS5bLvotxWFuHmGNvu12qT:cUQNoYozLvvotxguXm

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

stealerunc.execsrss.exe

pid process

1272 stealerunc.exe
2028 csrss.exe

pid	process
1272	stealerunc.exe
2028	csrss.exe

Loads dropped DLL 3 IoCs

Processes:

27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exestealerunc.exe

pid	process
2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe
2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe
1272	stealerunc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

stealerunc.exe

description pid process target process

PID 1272 set thread context of 2028 1272 stealerunc.exe csrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1600 timeout.exe

description	pid	process	target process
PID 1272 set thread context of 2028	1272	stealerunc.exe	csrss.exe

pid	process
1600	timeout.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exestealerunc.execsrss.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1272	2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe	stealerunc.exe
PID 2016 wrote to memory of 1272	2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe	stealerunc.exe
PID 2016 wrote to memory of 1272	2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe	stealerunc.exe
PID 2016 wrote to memory of 1272	2016	27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe	stealerunc.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 1272 wrote to memory of 2028	1272	stealerunc.exe	csrss.exe
PID 2028 wrote to memory of 112	2028	csrss.exe	cmd.exe
PID 2028 wrote to memory of 112	2028	csrss.exe	cmd.exe
PID 2028 wrote to memory of 112	2028	csrss.exe	cmd.exe
PID 2028 wrote to memory of 112	2028	csrss.exe	cmd.exe
PID 112 wrote to memory of 1600	112	cmd.exe	timeout.exe
PID 112 wrote to memory of 1600	112	cmd.exe	timeout.exe
PID 112 wrote to memory of 1600	112	cmd.exe	timeout.exe
PID 112 wrote to memory of 1600	112	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe
"C:\Users\Admin\AppData\Local\Temp\27f47faa080d2b9f4c7672b4da78c6410a25b7af5571d3e748f83a01f2144d0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
"C:\Users\Admin\AppData\Local\Temp\stealerunc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Roaming\csrss.exe
C:\Users\Admin\AppData\Roaming\csrss.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\STEALE~1.EXE
4⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:1600

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
Filesize
552KB

MD5
9f8f31df7b0b9b8645566f4ac1ca01e3

SHA1
2105930b6c90e84cfa42650f3b3dd08f9091195f

SHA256
b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

SHA512
734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\stealerunc.exe
Filesize
552KB

MD5
9f8f31df7b0b9b8645566f4ac1ca01e3

SHA1
2105930b6c90e84cfa42650f3b3dd08f9091195f

SHA256
b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

SHA512
734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\stealerunc.exe
Filesize
552KB

MD5
9f8f31df7b0b9b8645566f4ac1ca01e3

SHA1
2105930b6c90e84cfa42650f3b3dd08f9091195f

SHA256
b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

SHA512
734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

Download Submit
\Users\Admin\AppData\Local\Temp\stealerunc.exe
Filesize
552KB

MD5
9f8f31df7b0b9b8645566f4ac1ca01e3

SHA1
2105930b6c90e84cfa42650f3b3dd08f9091195f

SHA256
b42e8b3e33db6373dfd95d473b98ac5de50b1e0103cb0b4c6e30c2746fdc563c

SHA512
734947b24dfbb4d5782cafd48d064ae39f6fb57e930704868afbe64cf511ba08409de6c36c58fafef2e4a0637730b5bbd2d09af9a6dcaaabcef7afa61c5af71d

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/112-81-0x0000000000000000-mapping.dmp

Download
memory/1272-63-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1272-57-0x0000000000000000-mapping.dmp

Download
memory/1272-79-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/1600-83-0x0000000000000000-mapping.dmp

Download
memory/2016-61-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/2028-68-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-72-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-74-0x0000000000441175-mapping.dmp

Download
memory/2028-73-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-78-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-70-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-82-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2028-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing