3132de2a879854bd5582577e1dd94d54fa8961e72912eb3dd1779a4c87a40ada

Analysis

max time kernel
141s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a201e4db26a9622eb1c57643923ea93.exe
Size

6.6MB
MD5

6a201e4db26a9622eb1c57643923ea93
SHA1

e6c2100b8b4fc9c1eff6abe13794b6d1f9a9193a
SHA256

3132de2a879854bd5582577e1dd94d54fa8961e72912eb3dd1779a4c87a40ada
SHA512

f9fa1cb043336bbcc8573c05b113a05900631c10a49f9603d60d02d0a801daee976b230ba51dc1c9f59492c0b626bd9be484f015dfdd84cd1dc7d17b8330b7c6
SSDEEP

196608:OMZx7QICteEroXxWVfEqlbkkwR7VTEJZFvNtRXk2tL:lQInEroXgfEqirRRoJZhNnXv

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 13 IoCs

pid	Process
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe
1464	6a201e4db26a9622eb1c57643923ea93.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 1464	3084	6a201e4db26a9622eb1c57643923ea93.exe	21
PID 3084 wrote to memory of 1464	3084	6a201e4db26a9622eb1c57643923ea93.exe	21
PID 1464 wrote to memory of 2516	1464	6a201e4db26a9622eb1c57643923ea93.exe	26
PID 1464 wrote to memory of 2516	1464	6a201e4db26a9622eb1c57643923ea93.exe	26
PID 1464 wrote to memory of 4708	1464	6a201e4db26a9622eb1c57643923ea93.exe	25
PID 1464 wrote to memory of 4708	1464	6a201e4db26a9622eb1c57643923ea93.exe	25
PID 1464 wrote to memory of 4672	1464	6a201e4db26a9622eb1c57643923ea93.exe	24
PID 1464 wrote to memory of 4672	1464	6a201e4db26a9622eb1c57643923ea93.exe	24
PID 1464 wrote to memory of 2340	1464	6a201e4db26a9622eb1c57643923ea93.exe	57
PID 1464 wrote to memory of 2340	1464	6a201e4db26a9622eb1c57643923ea93.exe	57

C:\Users\Admin\AppData\Local\Temp\6a201e4db26a9622eb1c57643923ea93.exe
"C:\Users\Admin\AppData\Local\Temp\6a201e4db26a9622eb1c57643923ea93.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\6a201e4db26a9622eb1c57643923ea93.exe
  "C:\Users\Admin\AppData\Local\Temp\6a201e4db26a9622eb1c57643923ea93.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30842\VCRUNTIME140.dll

Filesize
63KB

MD5
3cf3427bb170e85ca66433228197bd6d

SHA1
7f4943993eaafe240d9a5e300547701366b0bd16

SHA256
0a15531bcd4c8a5259c9e49bea7492f720c6ddd96946ae29f8e11f635084aa12

SHA512
8a9fe77c4db0d12273d2c68c6a0c730243207f160c095c9e152f6475f9d13daf21f5c69e35baf50eea8b8e5c5491f705c734bae4a462300264015af6870a2fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\VCRUNTIME140.dll

Filesize
12KB

MD5
fd82227b76ec5e3fe16f29597fd4a6a6

SHA1
592a5ab46cedf63b2c2c3019afeed741c0c89464

SHA256
0f1dbe59963e25f5ce22a51111b9cf204fd3267452f01609aa8e68961d01b35d

SHA512
d32959d97f5a19bd94c75d9b649e9625515929f50186ca1aaf8c9c82d198eef311d0d530aa6afd36745c12b43c7786600e417fbbcd6224087f6d944de9152eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_bz2.pyd

Filesize
57KB

MD5
e329b278a11ae6928ab5b0e574ef883d

SHA1
3f65d746a9cdd391088742cb3f66dba2a0e28148

SHA256
4a00b2536b1b4686696d4b53016fd7ba5b163e04aec8a4fbca909e51ef4a34a3

SHA512
60f5a4c1f3ad4f6e33051c9ca45b3293eb70b9804612f271e0386e0a8800293bdacda1221fa268bad72ec82a9e70954f184f2871562b572bf2667821197a4ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_bz2.pyd

Filesize
67KB

MD5
a4f6d5fe63feeec14707bd53e3f02739

SHA1
e1151337fa45c21ab9c7418408402b70a03efeff

SHA256
400e9509333466a5d9bde3cbb3a2ee077ededa52b64360af321e6ff7a1823f27

SHA512
9b098e81083498cbdbcb1ea4afb0ef648a0ef07bc50e76b84a4bc7608affed4a3eff66beaf24d7f8c6df000e4173633396c485add9ff9dc56fd8f936131dabe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_ctypes.pyd

Filesize
85KB

MD5
f52443790341ec356297c173d3e0626b

SHA1
d679b56a907030e1a614a20f043caa56255cfabd

SHA256
d264797183936e394929e79e79c2ba68ed414d4a729bbd01727aa10197826c87

SHA512
99842c1a3e1b221415e9bf7b4adb30a87ccba0f1674d9daf08dccf0e6754ea9572905f3111744f5887b723b4d28d90b386871614abaf08ac323245c3306b5694

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_ctypes.pyd

Filesize
24KB

MD5
985a6561500c9c4d12b0933dc72dea0a

SHA1
03e841d21107ef8aa60c27eed9ffc9690de9ab69

SHA256
ba6832ce03558be777628db969758b4fd4f0ac281078bff974ad8d01651deed4

SHA512
8201f1bb9ed9cf04bfa98f1c316192f6bb5fbf8839ed9499eb448ca7a04d1249b0304585ce161b0a2f6a916c2cfdc93b37f1db090d5cc7299e82966f65025801

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_hashlib.pyd

Filesize
64KB

MD5
ae32a39887d7516223c1e7ffdc3b6911

SHA1
94b9055c584df9afb291b3917ff3d972b3cd2492

SHA256
7936413bc24307f01b90cac2d2cc19f38264d396c1ab8eda180abba2f77162eb

SHA512
1f17af61c917fe373f0a40f06ce2b42041447f9e314b2f003b9bd62df87c121467d14ce3f8e778d3447c4869bf381c58600c1e11656ebda6139e6196262ae17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_hashlib.pyd

Filesize
46KB

MD5
383c777ab09bf70091aa929f47757c9f

SHA1
84ee265c1ed88cae29f428316dec1e65db4541f1

SHA256
994fbca5f0d3d754b4ec2c7342a34741ddbedc6f00498fd5baa4d8c5656a07fb

SHA512
9a7e67e64547445f0c4f1d630b0cd1de1c0ff6fa19b6890c3a6f3a6a80e15685d1908812f934840a784a063f1e3bdf7de4224cc37596d78caa881212760f13cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_lzma.pyd

Filesize
31KB

MD5
e701c51d4e0d346180293cb046588e95

SHA1
4cc61bc94e34557cffdeb4dc20c7132fb844dfae

SHA256
087f033f0ad8efc3b68e0b13d55b3f2a081557e2a9b80720499860967730b8a6

SHA512
a6a97490428def472d02903f097ac8f4b180e96ecc331c114218b82427ac95dbe9d3ccb5316eacff83b24b36748ca67625e703532af8ab21c33055bab03a2a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_lzma.pyd

Filesize
23KB

MD5
becc17d50540b3c81a85a5135d3b50f1

SHA1
baff9b2476b34085d63389101decf1cead85ccc7

SHA256
ba3354e65ed8a719ae5b1cf61e4f4ecda37e3113b9794099816db1a01c4e486d

SHA512
f98c8715f92854b06fb3754b0ccf384f9a37b794b227618544cd8760a100862c2c2f0cffbfc51eea8b022ecb32e5c106e8754e3c19c6200019eaf6acb1e153b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_socket.pyd

Filesize
78KB

MD5
4b2f1faab9e55a65afa05f407c92cab4

SHA1
1e5091b09fc0305cf29ec2e715088e7f46ccbbd4

SHA256
241db349093604ab25405402ba8c4212016657c7e6a10edd3110abeb1cc2e1ba

SHA512
68070db39cd14841bcd49db1acf19806b0aa4b4ac4c56518b3a3baddaac1cd533f0b3ef70a378f53d65c0d6c0f745a6102b63303ea7978c79f688c787efe9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_ssl.pyd

Filesize
40KB

MD5
ce8eb29b3957f1abec5add1ee17f6e14

SHA1
35c49164fb1bb5b67b5703389ebb0c802f0822bd

SHA256
e4ad79f5bdb05208e30ae613bc3f5de2f150163cb2d4c4763e564099f7ea6c31

SHA512
2ad2996307465aa1c5a492fdef86397d474a705d7c469c8f64d950f5f5ab3c383d0f44e2e2e79b55acb738e994c4cab64bdc16c9689162a1ede9c0d2901a1c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\_ssl.pyd

Filesize
29KB

MD5
1f7ac4bd7f9502a156d166c380827898

SHA1
a2a49d3c2b8963a026f8c451a7656937bf328d90

SHA256
29cdda1def9ed997b28dec8f39a82253c7dce092e1c444acbde4b9559c9832a0

SHA512
b6a010eccda7698ea5d105ae431d25bd206daaab656d45d507091575d21eb869a54bcf445abb6fb750a1791b1bf2c41cc7d8f2c4395bc352984802aaf0255a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\base_library.zip

Filesize
57KB

MD5
dd6f55d0b500499d9ce6642d07dae230

SHA1
15bef6531f64741c8362cfbe0625cac0a48afc33

SHA256
bc578d195ef9c58ee38affd10a540fae660d040118b699d38a574a71f79b325c

SHA512
0bd6f2dd4ed5c7acd9d8426033f5c2ce8f316a667148a78ad2b8ff0bf6b1d6b896cdcbcec25106f8e2ced23d76ff76a6133044cf01f91c810e2c7b4ff8de0a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libcrypto-1_1.dll

Filesize
11KB

MD5
0428fc87f4ac11e33528442b7dcc3714

SHA1
01861d46ee5af2bf8000a4ed7103ce6c94ce3ada

SHA256
492f8adef753ef80fb296938fe67cc5937b32b2bd892e604e2e763068e22dd27

SHA512
18c12ba7d067c613d753aea309d4ce40a6ff9944c406fb84acad2b73582ec60af2fa59ea3309f5e2d75563645c9b33e24d70cb3136a1ee586ee4afae09920599

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libcrypto-1_1.dll

Filesize
122KB

MD5
e7f2868b988e598bbc9149064c4a158b

SHA1
41576589c2a02a465d045bef9c1dd215c80f8445

SHA256
ae4628e7a2b31a6bec67e12046db863dd28e6ba14fe5a69c3d2ea1c74261d541

SHA512
c564f1cbcdca55bebbdba9382ed4c568ee21384b407a107f14ee535ae584ef2acec40bb9eb413e713a75919e396e1dcf3ae1357c0586e84af20521e5461e1e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libffi-7.dll

Filesize
27KB

MD5
f6775a64559db6cf63a89ddcb94a4b90

SHA1
da2476a852fd2424429189538b5fd1cde1c32499

SHA256
b04eb48e3def661da6276c78b49d7a04d0aaa89c7f3386dd25ccc649ecb1980e

SHA512
0b37c1316264b84a21f42545b07b40c917f39f0a2047dacb8f9d89687b2b1a977688ce81cd53745a44d523dd880b08cdd1f51557fc29363126000f7e582fe77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libssl-1_1.dll

Filesize
44KB

MD5
80f1dddf556a26a167e2794c07a4bb44

SHA1
29d67066190bd332a4a84fca08dab947f4f45d02

SHA256
79067c05b25851c93af01088ffcea4a28fc75af4f4a37cf73c6d681bcbffa186

SHA512
03a49077d0d2eec00cda0cf91b43cbc1c0a2f3edd0e610698cdea0d0c37306e7894ea590b8a1567736c6aa30300c34ffde7bcbe08ec4e427842e908c094652c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\libssl-1_1.dll

Filesize
92KB

MD5
9b6c53d303c05d748333d9d9f08b979a

SHA1
792ba9df9ddab5300a89fa4e6c8806d2798330f6

SHA256
f7a293bb6d3b6df315f21b9c5bbd89ec64316640204b10adb44f6047f718b2bd

SHA512
7cbf072b2f7e58ce62d800f90b4f705332541cc8ca1ef87d7cb53eb6de774fe2b55f7a64e8e73a62b7721c71f8413bb5e80fd0931cc3b9ede4dea88270444cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\python39.dll

Filesize
37KB

MD5
3c94c9237b622e4aa4f032e4229dacd1

SHA1
c3aeade21b1a667c35542cdbdca4f01fd5b8aec3

SHA256
ce4e62208bf69a46e6f8238832c8e883f2670fda2be0ee2a9863cba6a6eb5d45

SHA512
5dd5a94ca22b25c0e8c7341ebaf7f7a629a1b39088aa803d3145920c64a544cb0ff580723d2f4c494bbf78ce5136784689baa6afb3df1383b367627b0acdbce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\python39.dll

Filesize
92KB

MD5
9a924fabecb0961a2eba53b31beebb6f

SHA1
362a067d0da8717b9649153069a0f52a8af28919

SHA256
4fcdf91b5825b039956da090ce34b9c81cd9e5f50a5030779740539291ba0680

SHA512
0fc1653ef1ae8de43d1df651afb0a66ef1fce752bfb96177464e4cb8bd2d6f607621b7616c7ce51d1b65fc96465d1ade4895d9a1f7aa636b2c87dd1bd9779208

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\select.pyd

Filesize
28KB

MD5
f8f5a047b98309d425fd06b3b41b16e4

SHA1
2a44819409199b47f11d5d022e6bb1d5d1e77aea

SHA256
5361da714a61f99136737630d50fa4e975d76f5de75e181af73c5a23a2b49012

SHA512
f0a96790fcdabf02b452f5c6b27604f5a10586b4bf759994e6d636cc55335026631fa302e209a53f5e454bea03b958b6d662e0be91fa64ce187a7dc5d35a9aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\unicodedata.pyd

Filesize
18KB

MD5
890352debb19dcb509d5cc8158de1984

SHA1
6e9f718f0600abeee6833bdddae63f58e2bdf019

SHA256
d7c3970a622034caef0a7408770da4c80d98ad75dd21e7bec2e585dfe960e355

SHA512
ea539a84f99400af8c73ad6b7547498c9bb1ede3ed080180b2f2d35546f2f0722041c778d33763958f348c0608b6e86dca7b0813e2e31637eb7f1f5ef5bc47f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\unicodedata.pyd

Filesize
92KB

MD5
5c6c6144deaec3052ee51b4fabe7a741

SHA1
ff85a55ab77ef8f33dddbce2772d1f8bdeee831b

SHA256
1909753d6fecc78d7b8492923979eee3422dfa48c86bdd914c1bc85187798c33

SHA512
4cef35511430e9ac9e6580f231c689f935aca9c8e939305c9ebb9a1446b9606c3e56c615b821c7dc39c0bb64684dc302ff0eb65ead6ca47c087926d4833c4e22

Download Submit