Malware Analysis Report

2025-08-05 17:20

Sample ID 230423-3rfgvaab6v
Target ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc
SHA256 ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc

Threat Level: Known bad

The file ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-23 23:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-23 23:44

Reported

2023-04-23 23:47

Platform

win10-20230220-en

Max time kernel

52s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe N/A

Checks installed software on the system

discovery

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe
PID 2544 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
PID 2544 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
PID 2544 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe
PID 2544 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
PID 2544 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
PID 2544 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe
PID 2284 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
PID 2284 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe
PID 2284 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe

"C:\Users\Admin\AppData\Local\Temp\ab00587432571b0dfa5cae0655f14c2466a699cb2720c5456f41469e5c882bfc.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe

Network

Country Destination Domain Proto
N/A 185.161.248.142:38452 tcp
US 8.8.8.8:53 142.248.161.185.in-addr.arpa udp
JP 40.79.197.35:443 tcp
N/A 185.161.248.142:38452 tcp
NL 8.238.179.126:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe

MD5 55381a45a9f8d15d448a44a6fcede0f8
SHA1 ded5a07d33b22c25350d5acb6a41a51a04a95558
SHA256 d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c
SHA512 d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417543.exe

MD5 55381a45a9f8d15d448a44a6fcede0f8
SHA1 ded5a07d33b22c25350d5acb6a41a51a04a95558
SHA256 d029051c4a9e3b50f4e83cdaed7f90b9d1258e9c1e39b3231ed7381008ddd44c
SHA512 d95ed6f4292edde714eecc1c374509c5d793c6a8cd51e92792e84decfcef7d7a779c589658da7174d513c9cae6d79898ef4d5d204dcd11a38f54674a1d8bd0f8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe

MD5 c833c4649bfda0bba8decbc9dd1498c4
SHA1 087886c86f7c2073a46f8f6ff065308ba16cd1bb
SHA256 ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886
SHA512 c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr255118.exe

MD5 c833c4649bfda0bba8decbc9dd1498c4
SHA1 087886c86f7c2073a46f8f6ff065308ba16cd1bb
SHA256 ba1d1e52dc70863ceedd09b6be3bb3e4f6ef036d11fe109e550b0f7d7bbf1886
SHA512 c5e6b1c39850ddba8eeaae7f0456a611788054ab02fc699c5d3fd3b76c90e21d2ff76872b1836da4c7e9b1c26cd54e88a69c166999447c4e35fbb0431be9af53

memory/2988-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

memory/2988-137-0x0000000002E00000-0x0000000002E1A000-memory.dmp

memory/2988-139-0x0000000007220000-0x0000000007230000-memory.dmp

memory/2988-138-0x0000000007220000-0x0000000007230000-memory.dmp

memory/2988-140-0x0000000007230000-0x000000000772E000-memory.dmp

memory/2988-141-0x00000000070E0000-0x00000000070F8000-memory.dmp

memory/2988-142-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-143-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-145-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-147-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-149-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-151-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-153-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-155-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-157-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-159-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-161-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-163-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-165-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-167-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-169-0x00000000070E0000-0x00000000070F2000-memory.dmp

memory/2988-170-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2988-172-0x0000000000400000-0x0000000002BAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe

MD5 e43d400926f6323fd3f2ba7e52f94b1d
SHA1 4ba024e6b9dfef3a61956b37e211429276398519
SHA256 5c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1
SHA512 11a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu994919.exe

MD5 e43d400926f6323fd3f2ba7e52f94b1d
SHA1 4ba024e6b9dfef3a61956b37e211429276398519
SHA256 5c93d8adb0027838ffc7f2b367f5070710fcbb709bd35f6880782d798425a4b1
SHA512 11a9ff5ae70f1c0ad31000e66dfcef28fbdb3b423821448b9aca190bfc3c9e480d92cdcb0e1fedc6227eeac73576e080af1a274fd595f4615f2457851be38f47

memory/2628-177-0x0000000004950000-0x000000000498C000-memory.dmp

memory/2628-178-0x0000000004B20000-0x0000000004B5A000-memory.dmp

memory/2628-179-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-180-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-186-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-184-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-182-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-188-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-190-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-192-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-196-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-194-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-198-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-200-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-202-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-204-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-206-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-208-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-210-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-212-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2628-302-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

memory/2628-303-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-307-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-305-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-975-0x0000000009CC0000-0x000000000A2C6000-memory.dmp

memory/2628-976-0x0000000007370000-0x0000000007382000-memory.dmp

memory/2628-977-0x000000000A2D0000-0x000000000A3DA000-memory.dmp

memory/2628-979-0x00000000073B0000-0x00000000073EE000-memory.dmp

memory/2628-978-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-980-0x000000000A3E0000-0x000000000A42B000-memory.dmp

memory/2628-982-0x000000000A670000-0x000000000A6D6000-memory.dmp

memory/2628-983-0x000000000AD30000-0x000000000ADC2000-memory.dmp

memory/2628-984-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-985-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-986-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-987-0x000000000AEE0000-0x000000000AF56000-memory.dmp

memory/2628-988-0x000000000AF90000-0x000000000AFAE000-memory.dmp

memory/2628-989-0x000000000B060000-0x000000000B222000-memory.dmp

memory/2628-990-0x000000000B230000-0x000000000B75C000-memory.dmp

memory/2628-991-0x0000000007430000-0x0000000007440000-memory.dmp

memory/2628-992-0x0000000002F50000-0x0000000002FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285581.exe

MD5 ace73b2b1f835de11594ea9a243a9f5c
SHA1 2f929d1f69784fbe499a95b064679a16947bdd84
SHA256 7310c28dc6a24530885da07d08c851b4a6c5aa987d2a44ce53cb73e72235fa49
SHA512 024e1ce3ab37e27c8647d02f79c434e103a84265c97b4773aed1a0b1fd3e8228eab560fc9b6f53b0132575ea855d1da0cd0b6b6e5cd2965f841cf8551c7d138e

memory/3892-998-0x0000000000040000-0x0000000000068000-memory.dmp

memory/3892-999-0x0000000006DF0000-0x0000000006E3B000-memory.dmp

memory/3892-1000-0x0000000006D60000-0x0000000006D70000-memory.dmp