Malware Analysis Report

2025-01-18 11:59

Sample ID 230206-e1d4dafd8x
Target payload.bin.exe
SHA256 f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
Tags
discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70

Threat Level: Likely malicious

The file payload.bin.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence spyware stealer

Downloads MZ/PE file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

GoLang User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-06 04:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 04:24

Reported

2023-02-06 04:26

Platform

win7-20221111-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payload.bin.exe

"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 04:24

Reported

2023-02-06 04:26

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\payload.bin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payload.bin.exe

"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"

C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe

"C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Network

Country Destination Domain Proto
NL 45.15.156.50:80 45.15.156.50 tcp
US 93.184.221.240:80 tcp
US 20.189.173.1:443 tcp
US 104.193.254.97:80 104.193.254.97 tcp
NL 185.223.93.251:80 185.223.93.251 tcp
NL 87.248.202.1:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1 bbac1dd8a07c6069415c04b62747d794736d0689
SHA256 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512 b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

C:\Users\Admin\AppData\LocalLow\nss3.dll

MD5 f67d08e8c02574cbc2f1122c53bfb976
SHA1 6522992957e7e4d074947cad63189f308a80fcf2
SHA256 c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA512 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

C:\Users\Admin\AppData\LocalLow\mozglue.dll

MD5 f07d9977430e762b563eaadc2b94bbfa
SHA1 da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA256 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA512 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

memory/4192-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe

MD5 feccda803ece2e7a3b7e9798714ad47e
SHA1 e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
SHA256 14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
SHA512 dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe

MD5 feccda803ece2e7a3b7e9798714ad47e
SHA1 e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
SHA256 14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
SHA512 dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

memory/3632-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 935d83bc82e1701554c0d043b8e6f5d3
SHA1 29afd4afefd81c4c1e92485ba9c973f56bb43923
SHA256 a2a784bf2c4297e3eafbeda42bdc17918945ce86455be7c00c02ca1c89b866a4
SHA512 550cecba09ac6959a48ba9f1fe0fa197ba8563e06bcd2dc625d624cfb66abf5b5826e1ecba8191e1f63134d464172ced641f309dc7a31d2dafb18c4fea352be0

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 29fa67f2053eacb25c980f675ee3adc1
SHA1 69e1be26fa20b4dbe29b5db58b29cf831b045a62
SHA256 cd00962410e054f245fb8e9521b4bcedb919de2676edc9bfdadbacdb7cdf6425
SHA512 43c318816bb5fc5f444a54f8bc656fa69a95da377beb6d4414063504f234d2028a964d21b28532fd93387b42b299637378f60e54d8cd497273b3cbd696e63669