be59515f36a9504b9348e3eb434a2e3565692705444d615f34f819ba27470c61

General

Target

NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
Size

170KB
MD5

75cd1244fd78e304fe4a230239b6ef30
SHA1

0a7984e1cdcca37efbc1877a5c609a6c2945ea7a
SHA256

be59515f36a9504b9348e3eb434a2e3565692705444d615f34f819ba27470c61
SHA512

2ad42c48eb91262d988a7f68e0067a085c4e84b3f7a0e66d2132bd24a00bc10932a1a6b03190b5f8666da413453674734be8f3f3dab5b4595128545561e6e3cc
SSDEEP

3072:wVSYYZbASP/+OGDJIZBcyJ+RXQK4UbwWhbZuq3sPE:w4DbAS6DJIZBaR4bWhbgE

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-9-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2588-16-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-27-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-95-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-127-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2612	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	28
PID 2080 wrote to memory of 2612	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	28
PID 2080 wrote to memory of 2612	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	28
PID 2080 wrote to memory of 2612	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	28
PID 2080 wrote to memory of 2588	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	30
PID 2080 wrote to memory of 2588	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	30
PID 2080 wrote to memory of 2588	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	30
PID 2080 wrote to memory of 2588	2080	NEAS.75cd1244fd78e304fe4a230239b6ef30.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C81B.1AE

Filesize
696B

MD5
74b5ccfe881c8850bc885bd69cf63d56

SHA1
e8084423f7465d21965271e9a531d05cf0b9bcb2

SHA256
d253fc5fcd61efefc843e669267544b2f4c947cb9e03516aa4cbb96e119c03a3

SHA512
e22fba1dd25fea3c4c6b5dbd6de9ada31760e66ff8da35d877049bfe3adcf3268728e946e30ca22371ccef61caeb2a3cc93ab916dc4b2e8293db3ac6a9043548

Download Submit
C:\Users\Admin\AppData\Roaming\C81B.1AE

Filesize
996B

MD5
e67b3be239ec11ce2d347925d1e2e47d

SHA1
acc32f24b0cfa6c606120a31534a39c8d85ed431

SHA256
f659483469f1e01c463b6f51b47b5cb8f9f0660021a800fbe2c839d86200918a

SHA512
90082662fa572428b95a8a04d15e1101008779aeb494e29d0a887d2f55f0850d83188a66093689351a16f10bc1fc6605d0a2d6b27ed098dd2c63538a8c8236bf

Download Submit
C:\Users\Admin\AppData\Roaming\C81B.1AE

Filesize
1KB

MD5
6e38da25355b03b56c9c4e694647255f

SHA1
c06126f6f34b2213674910fa9cefcb92f89c4457

SHA256
8d0e868c08f2f393aa9a78a8a89ac0a83eb70db6ef0691fa95006ededf675dab

SHA512
16b73d05db5ec47b4d264b267ce43665871d7d38f13f0c260d393711b5b0f6cd2b425b894dc3a510caa3fec59458e1085cd9881d1a81dcfaee35458e3c2902d0

Download Submit
memory/2080-6-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2080-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-27-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2080-95-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-127-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2588-15-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2588-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2612-11-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2612-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing