794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556

General

Target

794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
Size

1.4MB
MD5

b8c770530fbbf660c60f010bb41aea47
SHA1

d80f9426ec9b8674b51067296708afd26f7c8dc1
SHA256

794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556
SHA512

72dbcc949445a70dbf01d94d099310e43918f53e457af9f3b95cc0579b0173b667240fb417c277a4683659992bc465f819b33df4bb5d6ab182e2526d934bad79
SSDEEP

24576:i8oaOEZREGtLrZRxC1fDrOF/xpZREGtLrZRxC1fDrOF/x:iKJZRdLw7rW/DZRdLw7rW/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3472	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4436	2872	WerFault.exe	79

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4400	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	80
PID 2872 wrote to memory of 4400	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	80
PID 2872 wrote to memory of 4400	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	80
PID 4400 wrote to memory of 2072	4400	csc.exe	82
PID 4400 wrote to memory of 2072	4400	csc.exe	82
PID 4400 wrote to memory of 2072	4400	csc.exe	82
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 3472	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	86
PID 2872 wrote to memory of 4436	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	90
PID 2872 wrote to memory of 4436	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	90
PID 2872 wrote to memory of 4436	2872	794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe	90

C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
"C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrpdqugc\wrpdqugc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2D.tmp" "c:\Users\Admin\AppData\Local\Temp\wrpdqugc\CSCF235EB043BF642B4B4A73A19EB460CC.TMP"
    3⤵
    PID:2072
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1140
  2⤵
  - Program crash
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2872 -ip 2872
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBC2D.tmp

Filesize
1KB

MD5
db7fab04555f45bd7c982949d5ebd3d7

SHA1
f65f330313f028c0411c8d9a0ccdbcbeff479fc0

SHA256
4305f491d0f2a0e0d8fe9c69ecb26744801455c1a9c232ef0c2752eb888cdb2e

SHA512
94bb3caee41c07ac4fa5db57ae65569fac303020532f17a595db28cea5e42028cd2cb6e552a46bfee64d0f8947ef905f41a9d05d0462351778513b50a31c2272

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrpdqugc\wrpdqugc.dll

Filesize
5KB

MD5
c61c72ae7844e074a0179133061a7e8d

SHA1
4eeabbf20a2ac10eaba02fe24cd184d486b8aa33

SHA256
6f85a590446bef1e4c30a5475edb05384d0318dca56793d64bb06013043d98d9

SHA512
7f0ed16e449a98b0eb1e927f8707835b0a733be9534c4a78afbac12bcc6ce57316e5c2ab6aa3cd418a213bbe5a94e15fdb3d76badb4e3af13984947b9565f3dc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
340KB

MD5
75f298411c935b45714874de4abfa0df

SHA1
ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

SHA256
c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

SHA512
fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
340KB

MD5
75f298411c935b45714874de4abfa0df

SHA1
ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

SHA256
c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

SHA512
fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrpdqugc\CSCF235EB043BF642B4B4A73A19EB460CC.TMP

Filesize
652B

MD5
ea494ab71503c0612fe691b155bb5c3e

SHA1
39f814697e4dd8f9e0edeae96632d80420a7fc26

SHA256
07e7a43b775fa9bf6d1f41e82a0004a0821c00972c92d425b66e2b1dab59ca54

SHA512
21acdae6f91a389a5b14fa6f600fe2654dd7eb1ff76a92279832da7857a47988b30ed4926007c3919ee8eedaa7c69a8a882463849650fa8c5b9f06ec873ed44c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrpdqugc\wrpdqugc.0.cs

Filesize
4KB

MD5
2216d197bc442e875016eba15c07a937

SHA1
37528e21ea3271b85d276c6bd003e6c60c81545d

SHA256
2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

SHA512
7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrpdqugc\wrpdqugc.cmdline

Filesize
224B

MD5
87d0d5c61776ec46ef6942b08719ac36

SHA1
7b74e987d20498513bacaa4e56d14c4467a4aabe

SHA256
82dd0336a6ec3e8f17db459422a796b14d29cbdfce135265e5daf17c0b26653a

SHA512
7b8e49209894f0f7314d101ef7c57df885c05571ca0ef093b84c2aaaf5376b6ac1f82ee088738a2ae3bf6c90b7cd4cd5994974c69f534452f7ad96f591c53d64

Download Submit
memory/2872-133-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/2872-132-0x0000000000CE0000-0x0000000000E4C000-memory.dmp

Filesize
1.4MB

Download
memory/3472-142-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3472-146-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3472-147-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing