58fb993ff17bb718f773fdd43510d77e833c696da2d19cfd2373ce8c0e5e4fcd

General

Target

Soft.exe
Size

230.2MB
MD5

3bbde71346cb6e910ca30525dc1e1f60
SHA1

1151603635ad94e7651277d92c9f721de05f875b
SHA256

58fb993ff17bb718f773fdd43510d77e833c696da2d19cfd2373ce8c0e5e4fcd
SHA512

f80e907972099e88c3a1892058bb6fdcfe4ff4e907f48534ad10bd4452ffa399984ba6971221c91075604d450984c5eb57b296f44083481b50cf6d4e8eaa1910
SSDEEP

3072:jJdxYVsvlrk2ycpm1fC/zFJrkWilZ2fkWc6/T+jfOWe2brfnRRQfEfxX6deP:ssvlrxqkpMZwkWc7jf33uEfxqeP

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1324	Soft.exe
1324	Soft.exe
1324	Soft.exe
1324	Soft.exe
1324	Soft.exe
1324	Soft.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	Soft.exe
Token: SeDebugPrivilege	1128	taskmgr.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe
1128	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Soft.exe
"C:\Users\Admin\AppData\Local\Temp\Soft.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\606dcc8303a93cc84e22b207ff48dc07\Admin@[email protected]\Software.txt

Filesize
3KB

MD5
694c5ffccb77670978cd3f14529ea6b1

SHA1
7ab23fdd9cef4b2088405f533eabfdad5b64354c

SHA256
90cb6125d7a10b2c0a0b6e12e8ba0634b685fd5f43e72ad98a972b488f070c7a

SHA512
d09e1803bda281b0b8990a24b1a87888a2595253c2801b066d7b10825eaacd7494412e015692c4a46ae89ead3382f5d28c913bbf73f8ff92584cea312675dea1

Download Submit
C:\Users\Admin\AppData\Local\606dcc8303a93cc84e22b207ff48dc07\Admin@[email protected]\Software.txt

Filesize
4KB

MD5
0deddb3cd02f97a1b29228e249b3b365

SHA1
fecda2c925798a04ad17871124a441dd96ae1730

SHA256
f347f9e4d3dd0ce266a5d225c0471e33386c659c6c2425a1b2e625864e538b9b

SHA512
23d186926572a79bd7cec17ddfc8dc49e97097636cf34cdbc4a8b3d6b590362635cb41200da96385cbc9da4d255cef65bf5bf2cd964c37c331ef9d1dec50eeb0

Download Submit
C:\Users\Admin\AppData\Local\606dcc8303a93cc84e22b207ff48dc07\msgid.dat

Filesize
13B

MD5
9521abaf63ac62bdebe79b5e57372fab

SHA1
413b110169daca1526eab45695ea689dd12a1f52

SHA256
9a0b41ea52c5b08a0ccea3309e778f8677b8e8e523e0b75fffa4fbdbbfd6f3c3

SHA512
1240645d62741cb3751ba485736b1454e4089cc9c78602e797dcb919ccee6e4ce37a02e0c7a5e8e5ec7da77b4ba6a4746608d3e883327eb403ad2ef0f38a0373

Download Submit
memory/1128-109-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1128-110-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1324-6-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1324-22-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-51-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1324-5-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1324-94-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1324-1-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/1324-106-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/1324-108-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing