3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86 | Triage

Submit
Reports

Overview

overview

9

Static

static

3ceef80c3d...86.exe

windows7-x64

9

3ceef80c3d...86.exe

windows10-2004-x64

8

Sharing

General

Target

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
Size

619KB
Sample

221123-xaj6taed42
MD5

055e822885e9b0971b4e87b0ebfa4ab6
SHA1

c23f1fe682b87478bd3e327dd499960adf412aef
SHA256

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
SHA512

85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe
SSDEEP

12288:YkA5CuXTZVMUX8+fdS+D3niMcH+GjXyNrZWsg:Y15CuDZVMethD3i9HVXU9g

Score

9^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe

Resource

win7-20220812-en

collection persistence spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
- Size
  
  619KB
- MD5
  
  055e822885e9b0971b4e87b0ebfa4ab6
- SHA1
  
  c23f1fe682b87478bd3e327dd499960adf412aef
- SHA256
  
  3ceef80c3de4e08f798a9d3a958da20cd1790a06e55a8805053f51a004b83d86
- SHA512
  
  85fe528df5975ef29fb794f99a91dc9d0fab665c4fd8bc923f7a980ddefff00696441343c0684db1ad8894830d5c2f538b5fce3420520318c149a33ae5035afe
- SSDEEP
  
  12288:YkA5CuXTZVMUX8+fdS+D3niMcH+GjXyNrZWsg:Y15CuDZVMethD3i9HVXU9g
Score

9^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

© 2018-2024

Terms | Privacy