windealer | 33d29e4ca7eefcd1df148075c8765de6bd941faccbd2a1c5219d11cc5193fd68

General

Target

iexplore.exe
Size

352KB
MD5

95cdb3027de236e33d32fff9a3786c2f
SHA1

173b3dcac22e92a272a8ce228730072b4339e2ce
SHA256

33d29e4ca7eefcd1df148075c8765de6bd941faccbd2a1c5219d11cc5193fd68
SHA512

ce25b51ddf5fc187ab438dc51e2bab97ba41903087ba8308c7fb3a3f627bc9cc17f58cd5be1b40e3eee7f3fe68b688644ffef08d0e6a09e6d35c6b8c21278708
SSDEEP

6144:YZZC6Tf4RnqqfjkKlirFC1jGVr9nOhKy0zIBd6CiBP0PfL+eDHSVJs0z9LjS7g:ONTwxIKlirY1jAy0MjPi2Pj+oA/2

Score

10^/10

windealer discovery evasion spyware stealer trojan

Malware Config

Signatures

Detect WinDealer information stealer 15 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/4740-133-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-137-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-139-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-136-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-169-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-170-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-174-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-175-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-177-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-178-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-179-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-197-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-185-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-201-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer
behavioral1/memory/4740-210-0x0000000010000000-0x000000001003C000-memory.dmp	family_windealer

WinDealer
WinDealer is an info stealer used by LuoYu group.
stealer trojan windealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

File opened (read-only) \??\D: iexplore.exe
File opened (read-only) \??\F: iexplore.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 icanhazip.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

description	ioc	process
File opened (read-only)	\??\D:	iexplore.exe
File opened (read-only)	\??\F:	iexplore.exe

flow	ioc
11	icanhazip.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	iexplore.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iexplore.exe

pid process

4740 iexplore.exe
4740 iexplore.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exe

pid process

4740 iexplore.exe
4740 iexplore.exe

pid	process
4740	iexplore.exe
4740	iexplore.exe

pid	process
4740	iexplore.exe
4740	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e98-fb8010fb\C_PerfLogs_tmp

Filesize
5B

MD5
c8034a9882c2d012bf887d12f57219b5

SHA1
317a1e6bd6b2a3ed1e430bdd0600e7dc107dacd3

SHA256
259a9b41c6fea940108068d0521d0bbad4f0a3ae891e48cc7c9600d1122d2536

SHA512
54c92480ad303dcafbf25b8965b24c98f4ab4d34b56d4c0a5269d87c5538bcf3d84e42666f99d9f292d95168c8012c2309582976e28035a3f515f7f62ef4bfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e98-fb8010fb\F_tmp

Filesize
121B

MD5
ae4e49f673041b57e7ed1bb3e2b4bef5

SHA1
5baa916f46d2f8e6cd678ba39dab98169b97aece

SHA256
b12a63fe4d2a784b2f1a292a48f70de59997ba4a70338f3c6b107e9cc60ce3a1

SHA512
9a4d3ff5ba4c3a046a93131c1ef6a57002acccba8636948c87cccb95faf07d78889cd112dbbc53b8b05c879985fa814ecddc8be8f959110ccab39befda24b957

Download Submit
memory/4740-174-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-175-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-136-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-137-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-169-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-170-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-133-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-139-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-177-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-178-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-179-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-197-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-185-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-201-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/4740-210-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads