023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e | Triage

Submit
Reports

Overview

overview

Static

static

3

023548a5ce...4e.exe

windows7-x64

7

023548a5ce...4e.exe

windows10-2004-x64

Sharing

General

Target

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
Size

30.7MB
Sample

230424-vv9wvsfb2v
MD5

9650ac3a9de8d51fddab092c7956bdae
SHA1

f52b9ec5b9629a746c679394953dc56407b8a419
SHA256

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
SHA512

82cd32a8b5b84c067a7a7989831041b4453f7ed7cc5ee4308e7dc5e495410267e03b6ea9ad3441adfa5e0313e274b2f43976121959d2c72b80d00719bb91d14e
SSDEEP

196608:TQ6kL2Vmd6+DXLZy7YM30Lzajzpj4sd5bL:vkL2Vmd6m70Gzajz9Pd5n

Score

10^/10

pyinstaller spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe

Resource

win7-20230220-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe

Resource

win10v2004-20230220-en

pyinstaller spyware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://193.42.33.232/meokl/KK2023.zip

exe.dropper

http://193.42.33.232/alheim/Confirm.zip

exe.dropper

http://193.42.33.232/mrytr/MnMs.zip

Extracted

Credentials

Protocol: ftp
Host:
89.116.53.55
Port:
21
Username:
u999382941
Password:
Test1234

Targets

- Target
  
  023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e.exe
- Size
  
  30.7MB
- MD5
  
  9650ac3a9de8d51fddab092c7956bdae
- SHA1
  
  f52b9ec5b9629a746c679394953dc56407b8a419
- SHA256
  
  023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e
- SHA512
  
  82cd32a8b5b84c067a7a7989831041b4453f7ed7cc5ee4308e7dc5e495410267e03b6ea9ad3441adfa5e0313e274b2f43976121959d2c72b80d00719bb91d14e
- SSDEEP
  
  196608:TQ6kL2Vmd6+DXLZy7YM30Lzajzpj4sd5bL:vkL2Vmd6m70Gzajz9Pd5n
Score

10^/10

pyinstaller spyware stealer
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

pyinstallerspywarestealer

© 2018-2024

Terms | Privacy