c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6 | Triage

Submit
Reports

Overview

overview

9

Static

static

c49de2a250...e6.exe

windows7-x64

9

c49de2a250...e6.exe

windows10-2004-x64

9

Sharing

General

Target

c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
Size

444KB
Sample

221125-3nca1sfb87
MD5

ba909b63397276ff6c03199363842783
SHA1

8170a737992c9af18061039fe0382e1ace496a55
SHA256

c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
SHA512

4154efa8d63b3b548c1f9209c7c48e6afe55995740c86db88b15c5974e5dd555f25a80041ef028fed13f505b9db8e8e5bb36e5c2323f3227774317aa59448e5d
SSDEEP

6144:M3r4LiHSp+kTgELBy8rjUSwd2jDzrGkHihOLV/IYwXFMwY2JqUaQO1uLuzjMqeD:MbNyp+OLB52WzWOL2YSNJq4uquzjPeD

Score

9^/10

collection persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6.exe

Resource

win7-20220812-en

collection persistence spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6.exe

Resource

win10v2004-20221111-en

collection persistence spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
- Size
  
  444KB
- MD5
  
  ba909b63397276ff6c03199363842783
- SHA1
  
  8170a737992c9af18061039fe0382e1ace496a55
- SHA256
  
  c49de2a2508ea969e1e7752b515a2d508e08b51da4365af6245d9d9d92341ce6
- SHA512
  
  4154efa8d63b3b548c1f9209c7c48e6afe55995740c86db88b15c5974e5dd555f25a80041ef028fed13f505b9db8e8e5bb36e5c2323f3227774317aa59448e5d
- SSDEEP
  
  6144:M3r4LiHSp+kTgELBy8rjUSwd2jDzrGkHihOLV/IYwXFMwY2JqUaQO1uLuzjMqeD:MbNyp+OLB52WzWOL2YSNJq4uquzjPeD
Score

9^/10

collection persistence spyware stealer
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

collectionpersistencespywarestealer

behavioral2

collectionpersistencespywarestealer

© 2018-2024

Terms | Privacy