a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d

General

Target

a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe
Size

920KB
MD5

420197ffa86880ca7366b5e6d6abccaa
SHA1

3ac31c7fb31f2d6c8cfc0dce9091008bb4674d9c
SHA256

a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d
SHA512

afcf4661bf38f83d6ab647b9c19b7472412cde46f4b613fac43901e4bfbcf4e29e1c2f2d04583bc1a369de6ed452dd2394a031bf044e3a6b7d62def625fb8fe7
SSDEEP

24576:h1OYdaOLCZ/iWCvu/2sWsJA/jlt+DHhs0:h1OsZCpYO/dJJDHhs0

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iM9LGYeTwavV18u.exe

pid process

1172 iM9LGYeTwavV18u.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1172	iM9LGYeTwavV18u.exe

Drops Chrome extension 3 IoCs

Processes:

iM9LGYeTwavV18u.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehohhddamheegbbkabfgegbaeminghlb\228\manifest.json	iM9LGYeTwavV18u.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehohhddamheegbbkabfgegbaeminghlb\228\manifest.json	iM9LGYeTwavV18u.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehohhddamheegbbkabfgegbaeminghlb\228\manifest.json	iM9LGYeTwavV18u.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iM9LGYeTwavV18u.exe

pid process

1172 iM9LGYeTwavV18u.exe
1172 iM9LGYeTwavV18u.exe

pid	process
1172	iM9LGYeTwavV18u.exe
1172	iM9LGYeTwavV18u.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe

description	pid	process	target process
PID 3612 wrote to memory of 1172	3612	a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe	iM9LGYeTwavV18u.exe
PID 3612 wrote to memory of 1172	3612	a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe	iM9LGYeTwavV18u.exe
PID 3612 wrote to memory of 1172	3612	a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe	iM9LGYeTwavV18u.exe

C:\Users\Admin\AppData\Local\Temp\a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe
"C:\Users\Admin\AppData\Local\Temp\a6b1cd1aa0b073050208dfb92c63222f622f0ca0e7558b5ffd83ff65b567286d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\iM9LGYeTwavV18u.exe
.\iM9LGYeTwavV18u.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\ehohhddamheegbbkabfgegbaeminghlb\MzM5.js

Filesize
7KB

MD5
cc68d29b73c55179620a6831868e6625

SHA1
bdac8d3b6124e8827a1828c9e5e73c660df61a74

SHA256
73b8f9036b3d33212f5b18e79d54d9da57cab5856ffd716df6424d9ffb0553e1

SHA512
223eb85ab40a8c20c245e2de61bd042b18612b83fbac5c43ba1afaf04c6e91aef02e36d8150d136311c1d81779adaa5741232e4bf24603696dc7a9fe83d008a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\ehohhddamheegbbkabfgegbaeminghlb\background.html

Filesize
141B

MD5
a89af46ba80d7b4d5e652ddccb7ca607

SHA1
4f6cc25387a437addcc70415b8142eb36a04ef5b

SHA256
be7e5b2f72917fc622a83e1b5f94b2acaee020033a518ea10930ee0e13ebe1c5

SHA512
7f61f7fdb79e1d3d714bfbafb8c5f1081541d9899818ffb8cc9c129e7630b71c859d32183ddf1f57f0fbd52bf057c7b3e30f2fa9d7486831c625cf2c384a5159

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\ehohhddamheegbbkabfgegbaeminghlb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\ehohhddamheegbbkabfgegbaeminghlb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\ehohhddamheegbbkabfgegbaeminghlb\manifest.json

Filesize
600B

MD5
a2b3ebf2eb55e814365c8f765ce62757

SHA1
81567ed7c99a5fd108f1e4f9710c3d59cf6b3355

SHA256
8050d671dff229056c3947db3f49a88619938a83b3b06e1a7230e7c77500a363

SHA512
84290b9aaaff5be3d002f980b8fcb72d7d8c0359ff5f8ee0901d65e17bff4e699c5119d1ca1bfbd0344d5646d84735a70672738d5e74ab0a30193139b253639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\iM9LGYeTwavV18u.dat

Filesize
1KB

MD5
5eac19f5a76c66ded59b31a777068134

SHA1
880eedd840be8fac7ef68d01fdd52095dae443ef

SHA256
67ba95394131fcbc1fe8e67ba0d815e54909bd74d71366eefa11b0c8d35a9359

SHA512
0e2e5d07c87b07347eea791d21faa97c6e722aee6269873241e99e6d34f9cbcf5c69e4cb3a3561e95b63748e0a493c8615c2fa25271ae57a22de25a057e70ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\iM9LGYeTwavV18u.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC27.tmp\iM9LGYeTwavV18u.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1172-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing