51b41346135774c8c7170cdef7901c79e1c58432765c06296245eb1b199e5ee0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

51b41346135774c8c7170cdef7901c79e1c58432765c06296245eb1b199e5ee0_JC.bat
Size

982B
Sample

231004-wd9p7sde5w
MD5

01e891943a8dba30dc78411b01c94de6
SHA1

bf279ee1c0202945ab302468adf7fbd16024411a
SHA256

51b41346135774c8c7170cdef7901c79e1c58432765c06296245eb1b199e5ee0
SHA512

b5c70f9bbfa09eea226f5100abdb734ba40c0ae065aaf4875c3950f02e716fbd646523e90d881c1aca7db0d2c71804eb44c6565127c7ae9491180c369192bd68

Score

10^/10

spyware

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1158445636576878694/1158467275553263617/Creal.exe

Targets

- Target
  
  51b41346135774c8c7170cdef7901c79e1c58432765c06296245eb1b199e5ee0_JC.bat
- Size
  
  982B
- MD5
  
  01e891943a8dba30dc78411b01c94de6
- SHA1
  
  bf279ee1c0202945ab302468adf7fbd16024411a
- SHA256
  
  51b41346135774c8c7170cdef7901c79e1c58432765c06296245eb1b199e5ee0
- SHA512
  
  b5c70f9bbfa09eea226f5100abdb734ba40c0ae065aaf4875c3950f02e716fbd646523e90d881c1aca7db0d2c71804eb44c6565127c7ae9491180c369192bd68
Score

10^/10

spyware
- Downloads MZ/PE file
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2