794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556

General

Target

794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
Size

1.4MB
MD5

b8c770530fbbf660c60f010bb41aea47
SHA1

d80f9426ec9b8674b51067296708afd26f7c8dc1
SHA256

794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556
SHA512

72dbcc949445a70dbf01d94d099310e43918f53e457af9f3b95cc0579b0173b667240fb417c277a4683659992bc465f819b33df4bb5d6ab182e2526d934bad79
SSDEEP

24576:i8oaOEZREGtLrZRxC1fDrOF/xpZREGtLrZRxC1fDrOF/x:iKJZRdLw7rW/DZRdLw7rW/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
540	1912	WerFault.exe	26

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 948	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	28
PID 1912 wrote to memory of 948	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	28
PID 1912 wrote to memory of 948	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	28
PID 1912 wrote to memory of 948	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	28
PID 948 wrote to memory of 1528	948	csc.exe	30
PID 948 wrote to memory of 1528	948	csc.exe	30
PID 948 wrote to memory of 1528	948	csc.exe	30
PID 948 wrote to memory of 1528	948	csc.exe	30
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 1680	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	31
PID 1912 wrote to memory of 540	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	33
PID 1912 wrote to memory of 540	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	33
PID 1912 wrote to memory of 540	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	33
PID 1912 wrote to memory of 540	1912	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	33

C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
"C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EA9.tmp" "c:\Users\Admin\AppData\Local\Temp\5gbktrax\CSC6F88ADC899C49CDB2917ADFCF43C9E0.TMP"
    3⤵
    PID:1528
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 588
  2⤵
  - Program crash
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.dll

Filesize
5KB

MD5
e455fa2b571df257d11a87d223c4e936

SHA1
5aac9273ae0fff21642a732a4990ef3597af4954

SHA256
5e9fea593a2d36cdb2c8df7f136c03630e671f540337f2e97489e9b00b06fa39

SHA512
aa6edde421c99f677cb3c2e246e282810022de85295df2eb7baf9654790c30633fcbaaf4d1cfbe6cce0a32a333a373aeeba85e3058fd83c56f7c2fd3d1dda17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EA9.tmp

Filesize
1KB

MD5
43c51a70acf989919f137fceb8fa0f40

SHA1
accc5046cc30124bc217bdd886e79cfd78141c33

SHA256
50e8e1651155039d8e476eb82ccdc878883f136ccd3aeffd51c135fc2b1142ca

SHA512
37e3e65a339e7928290d764f5a9d057ee20f2c68a6eeedeef3bbe15c0bee51af6dff0e254f729e328af77c43a39c4eb6e2adbe1f0ad72cdebc151bd311d189fe

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
340KB

MD5
75f298411c935b45714874de4abfa0df

SHA1
ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

SHA256
c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

SHA512
fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.0.cs

Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.cmdline

Filesize
224B

MD5
695c17b2234761380034e285430b5399

SHA1
c7abfd15b53ad4be6f2e962618bed13663471652

SHA256
47a19c50275c2978a203c2de67e6f1f04f65a6cd11aedca89529dd9765af85dd

SHA512
fe11aec0be2597d622e231f462dc626edd342f84eeccec2979f9c0cae4596f33b7485e579ccb1498734cd24420032d1a1956a3d76998220f6040c41322455d8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\CSC6F88ADC899C49CDB2917ADFCF43C9E0.TMP

Filesize
652B

MD5
515b1a74f898dc1426a88edb12c28d17

SHA1
70dd4f4a2cdd4a6a0a13085908365b072e61eedc

SHA256
8d31e10192cb99cf68f9fe4e641db08fd2f2393ab8877826c17c005c6bfd9d80

SHA512
6560e26e5ed7d886df1c7adcac0e8a9a53c39b5f3f3779d2b33d239ba2d0355928c3b83cbfa14fda756cda3a99b9f4ef0aa94b6fc196e6200741b4e3f4c2f026

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
340KB

MD5
75f298411c935b45714874de4abfa0df

SHA1
ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

SHA256
c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

SHA512
fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
340KB

MD5
75f298411c935b45714874de4abfa0df

SHA1
ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

SHA256
c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

SHA512
fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

Download Submit
memory/1680-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-67-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-69-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-73-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-74-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-79-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1680-82-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1912-54-0x00000000011D0000-0x000000000133C000-memory.dmp

Filesize
1.4MB

Download
memory/1912-63-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1912-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing