4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88

General

Target

4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
Size

600KB
MD5

27d84e58000078a566602e597aa73186
SHA1

0521b65491fedad4f142baef107f4a691f3f5c06
SHA256

4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88
SHA512

1c26a751ca202de1deb6aee5da533b5fcedea4b530bb15f3e8ca06398519d6180e6735bd522949d2a3d0091ff804036278c79b87dc1e3bb84d9234606c8736c8
SSDEEP

12288:MBtdzSMfWEGgEgt1rrRRXV3p+96cQP48KieqFrAoZlNFKihqw8:MBt89EbEe1rrV3p+9VQPFeqFrVZNP

Score

10^/10

collection evasion spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
overcomer123

Signatures

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1744-92-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/596-76-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/596-77-0x000000000040E758-mapping.dmp	Nirsoft
behavioral1/memory/596-80-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/596-81-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral1/memory/1744-92-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

PO 2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	PO 2.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

PO 2.exe

pid process

584 PO 2.exe

pid	process
584	PO 2.exe

Loads dropped DLL 3 IoCs

Processes:

4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exedw20.exe

pid	process
628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
1996	dw20.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 bot.whatismyipaddress.com
Suspicious use of SetThreadContext 2 IoCs

Processes:

PO 2.exe

description pid process target process

PID 584 set thread context of 596 584 PO 2.exe vbc.exe
PID 584 set thread context of 1744 584 PO 2.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO 2.exe

description pid process

Token: SeDebugPrivilege 584 PO 2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO 2.exe

pid process

584 PO 2.exe

flow	ioc
6	bot.whatismyipaddress.com

description	pid	process	target process
PID 584 set thread context of 596	584	PO 2.exe	vbc.exe
PID 584 set thread context of 1744	584	PO 2.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	584	PO 2.exe

pid	process
584	PO 2.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exePO 2.exe

description	pid	process	target process
PID 628 wrote to memory of 584	628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe	PO 2.exe
PID 628 wrote to memory of 584	628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe	PO 2.exe
PID 628 wrote to memory of 584	628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe	PO 2.exe
PID 628 wrote to memory of 584	628	4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe	PO 2.exe
PID 584 wrote to memory of 1996	584	PO 2.exe	dw20.exe
PID 584 wrote to memory of 1996	584	PO 2.exe	dw20.exe
PID 584 wrote to memory of 1996	584	PO 2.exe	dw20.exe
PID 584 wrote to memory of 1996	584	PO 2.exe	dw20.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 596	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe
PID 584 wrote to memory of 1744	584	PO 2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe
"C:\Users\Admin\AppData\Local\Temp\4a214ca2c8d321edeab9493c5947d7e0c7ba6575abbb45fc719aff42640cda88.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\PO 2.exe
"C:\Users\Admin\AppData\Local\Temp\PO 2.exe"
2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 848
3⤵
- Loads dropped DLL
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
3⤵
PID:596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
3⤵
- Accesses Microsoft Outlook accounts
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PO 2.exe
Filesize
444KB

MD5
e832e6b1625bd33408fe293f2a303ed9

SHA1
dc79ad7fd138003025304e9d0bbfff35a2929722

SHA256
8327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d

SHA512
9bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PO 2.exe
Filesize
444KB

MD5
e832e6b1625bd33408fe293f2a303ed9

SHA1
dc79ad7fd138003025304e9d0bbfff35a2929722

SHA256
8327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d

SHA512
9bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\logff.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\PO 2.exe
Filesize
444KB

MD5
e832e6b1625bd33408fe293f2a303ed9

SHA1
dc79ad7fd138003025304e9d0bbfff35a2929722

SHA256
8327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d

SHA512
9bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8

Download Submit
\Users\Admin\AppData\Local\Temp\PO 2.exe
Filesize
444KB

MD5
e832e6b1625bd33408fe293f2a303ed9

SHA1
dc79ad7fd138003025304e9d0bbfff35a2929722

SHA256
8327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d

SHA512
9bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8

Download Submit
\Users\Admin\AppData\Local\Temp\PO 2.exe
Filesize
444KB

MD5
e832e6b1625bd33408fe293f2a303ed9

SHA1
dc79ad7fd138003025304e9d0bbfff35a2929722

SHA256
8327ef22aeeb0cf938d9adbf3e0710a0b354ad7d0022b9ae1233b8d179aefd3d

SHA512
9bf39dc015378a41580760a0b972a8aa3fa215cec99c1f5167134cd4cb322390ed2f233cad59fb375cbfc9e86ada246907262615bca40950e9381957985761c8

Download Submit
memory/584-64-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/584-63-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/596-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-81-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-73-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/596-77-0x000000000040E758-mapping.dmp

Download
memory/596-76-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/628-55-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/628-62-0x0000000074420000-0x00000000749CB000-memory.dmp

Filesize
5.7MB

Download
memory/628-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1744-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-88-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-92-0x0000000000411654-mapping.dmp

Download
memory/1744-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1996-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads