0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a

General

Target

0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe
Size

436KB
MD5

5383411fd564aae161291016199915d2
SHA1

01a31f6b8bcf556cc77caa089cbaa7696613c61e
SHA256

0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a
SHA512

fc310a9db9bd446a2fb5b30047ca00cbb2e0efe35a5e9537c684cc8e8da286f95fcec8adeda245b91ab9046c2162b5807d60bf684a04dbfb906e1ce9eb4057e9
SSDEEP

12288:xUbCGn0F45IAuMZWaRCd2aUwsdN5mne/zfMM3H3dcr2v:6bC4XuMZWwaU5lMM9Xv

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1604-55-0x0000000000440000-0x0000000000498000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1604-55-0x0000000000440000-0x0000000000498000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

WinDefender.exeWinDefender.exe

pid process

1820 WinDefender.exe
328 WinDefender.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1820	WinDefender.exe
328	WinDefender.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe

description	pid	process	target process
PID 1604 wrote to memory of 1820	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 1820	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 1820	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 1820	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 328	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 328	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 328	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe
PID 1604 wrote to memory of 328	1604	0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe	WinDefender.exe

C:\Users\Admin\AppData\Local\Temp\0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe
"C:\Users\Admin\AppData\Local\Temp\0bb0f209e50b87a21dd65f0eeac7128e96026fb7ace4d9b9223d2b28f0eb702a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\WinDefender.exe
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe /stext C:\Users\Admin\AppData\Local\Temp\WinDefender.txt
2⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\AppData\Local\Temp\WinDefender.exe
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe /stext C:\Users\Admin\AppData\Local\Temp\WinDefender.txt
2⤵
- Executes dropped EXE
PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinDefender.cfg

Filesize
625B

MD5
53dd16e9e2c84000bfbaaccdd8c665cb

SHA1
ccc200b7209c1b1c2f53ef28f4921f381cbfc26b

SHA256
01f42a5556577633271e6f4fe2b1259cf2792334aa1da543009fc10548f57966

SHA512
74a8853b6a48c560a2b51593fd6255ed588a830cd41460976c6b1615da26d0138819007d4098636a589cf9c5e659881afafd2c32fca6930faee22a11af37f019

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefender.cfg

Filesize
625B

MD5
53dd16e9e2c84000bfbaaccdd8c665cb

SHA1
ccc200b7209c1b1c2f53ef28f4921f381cbfc26b

SHA256
01f42a5556577633271e6f4fe2b1259cf2792334aa1da543009fc10548f57966

SHA512
74a8853b6a48c560a2b51593fd6255ed588a830cd41460976c6b1615da26d0138819007d4098636a589cf9c5e659881afafd2c32fca6930faee22a11af37f019

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe

Filesize
330KB

MD5
0034bf63b590f7db029665c474bfbd17

SHA1
224d9e907ed2cac0d411a3072d8f447c01be8af7

SHA256
852a04e988a258d10a39db1721c2b49efa512367f0cdd459d3c8e6afbd64075f

SHA512
75f339cd90be002c8b58b23af74665f8855c9b092f9b1f9f22ae45783c5ce05c5fab25ae8334c0a9da4257e57b692196161e1dae442317f0c2aa1510a85e23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefender.exe

Filesize
330KB

MD5
0034bf63b590f7db029665c474bfbd17

SHA1
224d9e907ed2cac0d411a3072d8f447c01be8af7

SHA256
852a04e988a258d10a39db1721c2b49efa512367f0cdd459d3c8e6afbd64075f

SHA512
75f339cd90be002c8b58b23af74665f8855c9b092f9b1f9f22ae45783c5ce05c5fab25ae8334c0a9da4257e57b692196161e1dae442317f0c2aa1510a85e23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefender.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinDefender.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/328-61-0x0000000000000000-mapping.dmp

Download
memory/1604-54-0x0000000000EC0000-0x0000000000F34000-memory.dmp

Filesize
464KB

Download
memory/1604-55-0x0000000000440000-0x0000000000498000-memory.dmp

Filesize
352KB

Download
memory/1604-66-0x000000001AE06000-0x000000001AE25000-memory.dmp

Filesize
124KB

Download
memory/1604-67-0x000000001AE06000-0x000000001AE25000-memory.dmp

Filesize
124KB

Download
memory/1820-58-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1820-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads