c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736

General

Target

c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe
Size

2.5MB
MD5

7daed4ed46369e858462c8e05fd4d64d
SHA1

e3c58eba9a6b5a4bdfbed9925d8490684893e622
SHA256

c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736
SHA512

edcf185ce3056c0f716a453e04e19bd188232f620177f72b3b424dc0d84f75315abb0568176a4da50eda5c2e353f6a69ba86d06940b4aaeff2b4c8ffbac75556
SSDEEP

49152:h1OsPjtPNg3MaK+715e2Yl8Wd7dZcRGzPbXO2mg6P1Ql5PPLKMRnUDb:h1OujVNI71i86pZbz55PPLKMRUn

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

IB9VGFMzo0f3Y0s.exe

pid process

1756 IB9VGFMzo0f3Y0s.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1756	IB9VGFMzo0f3Y0s.exe

Drops Chrome extension 5 IoCs

Processes:

IB9VGFMzo0f3Y0s.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpapcpbhddnipgnoppmdfgidikhnmilo\1.0\manifest.json	IB9VGFMzo0f3Y0s.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpapcpbhddnipgnoppmdfgidikhnmilo\1.0\manifest.json	IB9VGFMzo0f3Y0s.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpapcpbhddnipgnoppmdfgidikhnmilo\1.0\manifest.json	IB9VGFMzo0f3Y0s.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpapcpbhddnipgnoppmdfgidikhnmilo\1.0\manifest.json	IB9VGFMzo0f3Y0s.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpapcpbhddnipgnoppmdfgidikhnmilo\1.0\manifest.json	IB9VGFMzo0f3Y0s.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

IB9VGFMzo0f3Y0s.exe

pid process

1756 IB9VGFMzo0f3Y0s.exe
1756 IB9VGFMzo0f3Y0s.exe

pid	process
1756	IB9VGFMzo0f3Y0s.exe
1756	IB9VGFMzo0f3Y0s.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe

description	pid	process	target process
PID 5092 wrote to memory of 1756	5092	c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe	IB9VGFMzo0f3Y0s.exe
PID 5092 wrote to memory of 1756	5092	c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe	IB9VGFMzo0f3Y0s.exe
PID 5092 wrote to memory of 1756	5092	c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe	IB9VGFMzo0f3Y0s.exe

C:\Users\Admin\AppData\Local\Temp\c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe
"C:\Users\Admin\AppData\Local\Temp\c29041ac8f40814a571381deb81366011be95c05ccb0441b928c8c2a38795736.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\IB9VGFMzo0f3Y0s.exe
.\IB9VGFMzo0f3Y0s.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\IB9VGFMzo0f3Y0s.dat
Filesize
6KB

MD5
15043c54a933a47ecbe74691a725a067

SHA1
ed7138f6956c69d574fc3a0e2a2b4704ec12b943

SHA256
e9651019e5c7acb762fec8cb1adc4dcbca3f14a1c61fc93e4fd7a65da6e33f58

SHA512
844ca5acd54d25d11e6c21d187937ac1bd6efaaf2d1f5975442d39addc36da94b0e11949ac4af0e15a0eb1d7a7b605446fd8e87915fd51a90dea1e51fbdff4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\IB9VGFMzo0f3Y0s.exe
Filesize
783KB

MD5
e5f19b8f3fa9ba590482ee5d1c7ed005

SHA1
e3d599ca32f07024e281f26e764ef09697aba822

SHA256
688036044c4521a1841e9fb5a704d505bfc47c4fc80be111e9a321869a56f9b9

SHA512
dde4cd947a2820da9a70c584ad136fc87bf68e272e3b5842967580165a602225fcb754966f2f5d3e66db87026c68f61055893b4d2033183ab5b35fe96d4e16ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\IB9VGFMzo0f3Y0s.exe
Filesize
783KB

MD5
e5f19b8f3fa9ba590482ee5d1c7ed005

SHA1
e3d599ca32f07024e281f26e764ef09697aba822

SHA256
688036044c4521a1841e9fb5a704d505bfc47c4fc80be111e9a321869a56f9b9

SHA512
dde4cd947a2820da9a70c584ad136fc87bf68e272e3b5842967580165a602225fcb754966f2f5d3e66db87026c68f61055893b4d2033183ab5b35fe96d4e16ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\lpapcpbhddnipgnoppmdfgidikhnmilo\background.html
Filesize
138B

MD5
2af9d5094619324a0751dc9935a8102f

SHA1
f7d30ceba03e5962f25ab744a4fc4883cc5ab0ce

SHA256
c3bfad0de1f1839e951ae1b02a83c052813fa9faf446da7a31481aa62576160a

SHA512
b5e6117a93269bf58aaa8dd1383dff6d442184f32be2c146a8f03f6e3b1be6f620cba2e8a4953f265e486fe4c9d3a1e5997433c1e4e2ab913255991668566d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\lpapcpbhddnipgnoppmdfgidikhnmilo\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\lpapcpbhddnipgnoppmdfgidikhnmilo\f.js
Filesize
5KB

MD5
7d3df737696c5a945cd4277ba5858c52

SHA1
3dd55ddda17d92bb8abc42506ae2eced731703a6

SHA256
f3fe77bd5ae5eed7f1f2f959372742dc598e22b17cb12fc8276a400d5c4e580c

SHA512
9678672f023d8589299ad0f900fcdcd3cc0cc0b5de3d0fb4827388bfb5d0134c919120298899ae1756fac27b920ff302642a49fef3bacc818f900711d93d08a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\lpapcpbhddnipgnoppmdfgidikhnmilo\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF926.tmp\lpapcpbhddnipgnoppmdfgidikhnmilo\manifest.json
Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
memory/1756-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing