0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604

General

Target

0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
Size

2.8MB
MD5

5bf1ac8aeb2e05df61c581340cbbae76
SHA1

bfd0e18006c4a031509522e288a51eca071caf53
SHA256

0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604
SHA512

d805d8cd262baea47e894265b380ce3245a739e7c30c3ef3f4118a66d3dc29ae4107ef802dfbf8fc3a1def1843825acdfb4a4342b416c1821b39a842528a2d05
SSDEEP

49152:AbCjPKNqQwb7N36AlP/VXh+UfhnNW5que5xuv:oCjPKNL

Score

8^/10

collection spyware stealer upx

Malware Config

Signatures

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3676-136-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3676-138-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3676-139-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/4728-141-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/4728-143-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/4728-145-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/1968-146-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4728-147-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/1968-151-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/1968-152-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4368-150-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3676-153-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3048-156-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/1968-154-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4368-158-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/4368-159-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3048-161-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/3048-162-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4908-164-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/3048-165-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4368-166-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/4368-167-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/1968-169-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/3676-168-0x0000000000400000-0x00000000004AD000-memory.dmp	upx
behavioral2/memory/3048-170-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4908-173-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/4908-174-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/4908-175-0x0000000000400000-0x00000000004D1000-memory.dmp	upx

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir PersonalEdition Classic	vbc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir PersonalEdition Classic	vbc.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exeRegAsm.exe

description	pid	process	target process
PID 1204 set thread context of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 4680 set thread context of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 set thread context of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 set thread context of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 set thread context of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 set thread context of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 set thread context of 4908	4680	RegAsm.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe

pid	process
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3676	vbc.exe
Token: SeDebugPrivilege	4728	vbc.exe
Token: SeDebugPrivilege	1968	vbc.exe
Token: SeDebugPrivilege	4368	vbc.exe
Token: SeDebugPrivilege	3048	vbc.exe
Token: SeDebugPrivilege	4908	vbc.exe
Token: SeDebugPrivilege	4680	RegAsm.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exeRegAsm.exe

description	pid	process	target process
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 1204 wrote to memory of 4680	1204	0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe	RegAsm.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3676	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4728	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 1968	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4368	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 3048	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe
PID 4680 wrote to memory of 4908	4680	RegAsm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe
"C:\Users\Admin\AppData\Local\Temp\0e43fde459bde11b1ae07a881a27718406cf5e7a6433b151d555f697d8501604.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\b1.dat
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\i4.dat
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\m2.dat
3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\f3.dat
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\w5.dat
3⤵
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\Admin\AppData\Local\Temp\d6.dat
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Security Software Discovery

1

T1063

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b1.dat
Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6.dat
Filesize
386B

MD5
8c69a073eec9e6502d8fa67cdcf5a234

SHA1
8d02bd4792ba46c4a59509867b8367df0e4a147a

SHA256
b1d968fcb39ec4c3642eeb8ed4ac9f917450bf48f4f8683107832a319056122f

SHA512
11a0ac9b878eece0a5e1b0ea7bead094a4cb9a9f884aeaf23887882f53c4625cfaeda7db73a2b07e973da6712105b2fbffac6de7195d31ea21d5b9dbdc85ed70

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3.dat
Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4.dat
Filesize
420B

MD5
3f27c5665290bc99f2a29c57781ce9e2

SHA1
b1711fb103f5b228e51cbfb280d29972bd245eda

SHA256
052a1def3999705541eb433f26b2d65c2a69de5216cd87c568dc2159d2f83705

SHA512
60c11c5f9b4901d11a53cd7a5746ab4abbe52426ae26d31573971e3f83072dbdf041f6b4f106af43789d29a1b516925501774bee39a2f5ed7aa2924a0348cc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2.dat
Filesize
400B

MD5
38d18b0ae3449c2f854ebe7de63cc065

SHA1
5b2591f992b47b0b9c36d17e467b198dce478d58

SHA256
f5871e2513fff59e0d00b54d0db5c8d6d2bf398788243f81ad5d40b90f9cb8e1

SHA512
5d372daee065acce43eb9ee91f52546660e7177f2d75183d7eda0e6c86d28b671423fd9965582a4c7193c3e0fdc1dd3eaafeb3d46ae347a1f78d8c24fb0e7538

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5.dat
Filesize
802B

MD5
7f07842a0c9d640a866355198d9eb630

SHA1
14d89e48a572fcf8bfdb2a692c482f6cee277046

SHA256
fb8bb8fc49e50e536a598f1f7e5ee4ce971e4079d88237c4f1c80a089c22ca05

SHA512
c248e93ad6a5b6289d6815ca64fae51dc731b705056ce674278e54c79c33d7a8b61e870d9e6638a84d98c56b553073b53589a38cf1c63e1c02ae7c1028cdbe65

Download Submit
memory/1968-146-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1968-169-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1968-154-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1968-152-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1968-144-0x0000000000000000-mapping.dmp

Download
memory/1968-151-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/3048-156-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-170-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-165-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-162-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-161-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-155-0x0000000000000000-mapping.dmp

Download
memory/3676-153-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3676-136-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3676-168-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3676-135-0x0000000000000000-mapping.dmp

Download
memory/3676-139-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3676-138-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/4368-148-0x0000000000000000-mapping.dmp

Download
memory/4368-159-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-150-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-166-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-167-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4368-158-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4680-133-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/4680-134-0x00000000070E0000-0x0000000007684000-memory.dmp

Filesize
5.6MB

Download
memory/4680-132-0x0000000000000000-mapping.dmp

Download
memory/4728-140-0x0000000000000000-mapping.dmp

Download
memory/4728-147-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4728-141-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4728-143-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4728-145-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/4908-173-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4908-174-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4908-175-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4908-164-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4908-163-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads