c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603

General

Target

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe
Size

2.5MB
MD5

975b000252ebb8c5a8f2ec1753c85a93
SHA1

a585bf89b61c311d018837f35c6777c9350c02c2
SHA256

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603
SHA512

02521616a1e054cc83da5acb800642114e5c5a418a991b50459dbb0f5df64cfc15c9c935f37ea208f36d0fb901578e4583bdbaf5919d16898a99cb134826cdd1
SSDEEP

49152:h1OsTAQ+1ho2H8swSCCwwFB9nfFVDRBTY/3X5wRLCr56JK8xb:h1ObQzVCwJ/3CRLCrY8i

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

pid process

972 X4oOA1qtRIZeXUd.exe
Loads dropped DLL 1 IoCs

Processes:

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe

pid process

1004 c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
972	X4oOA1qtRIZeXUd.exe

pid	process
1004	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe

Drops Chrome extension 3 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

pid process

972 X4oOA1qtRIZeXUd.exe

pid	process
972	X4oOA1qtRIZeXUd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe

description	pid	process	target process
PID 1004 wrote to memory of 972	1004	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 1004 wrote to memory of 972	1004	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 1004 wrote to memory of 972	1004	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 1004 wrote to memory of 972	1004	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe

C:\Users\Admin\AppData\Local\Temp\c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe
"C:\Users\Admin\AppData\Local\Temp\c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\X4oOA1qtRIZeXUd.exe
.\X4oOA1qtRIZeXUd.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\X4oOA1qtRIZeXUd.dat
Filesize
6KB

MD5
948da42cd4e34b92ea34aa1bc4cfe717

SHA1
6fa23029b81670dd1ca5f9632162c94cd1514be5

SHA256
ee84c1058f4138f1b8cd895e1b8d2f04533bc0eeaf682070a773c5890e8da98c

SHA512
344851f329957e367421fd62072b9717a733bb68f1ce2460da1e323c0e72d2f7de26fc2590b8b6289485b87f053b27ad892ad56f9218706c3a84e71156f36d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\X4oOA1qtRIZeXUd.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\mbgilepilfcabogjpmklmabolalpbebn\Ze.js
Filesize
5KB

MD5
93380286b4a236bf52919898cd411e79

SHA1
830ea0abfc107cadd10668967d018e6cff211bbe

SHA256
561031f79c3ad3ffb0637908c7a5790a83d6ada5cdac0e1d4b628cd963a3b152

SHA512
4ba5a9c0fef52157e4d0f58bba6f24dfc64110e3c0325767b0f6f42b1a3f818a1001e22b79d52b8c130e351441e624a6fca448ead4e67caece5cdcaa4c149cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\mbgilepilfcabogjpmklmabolalpbebn\background.html
Filesize
139B

MD5
67178422d1053decddd2a3b72ad25b80

SHA1
b1d37bf08441d1bf1c66eb571f7959d6a149b8b3

SHA256
a6fa6766b6dc285c6d1f3154d6635802db33c79f9f6195d50e8ada7bb996234f

SHA512
00371dc0d1f5b6aab34b533039726f0de017fee08fe5475a0920814cdd8b03b65fbf2d756456de834d146b3264465222bbdcc3c77955c636726e40cf7e4e5f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\mbgilepilfcabogjpmklmabolalpbebn\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\mbgilepilfcabogjpmklmabolalpbebn\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4107.tmp\mbgilepilfcabogjpmklmabolalpbebn\manifest.json
Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4107.tmp\X4oOA1qtRIZeXUd.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
memory/972-56-0x0000000000000000-mapping.dmp

Download
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing