88ac4586a3dd2af385bf891f613fb2d988e61f8e7abf7dcd112e69bbc24d57c8

Analysis

max time kernel
435s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2023, 19:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ipstealer.exe
Size

8.3MB
MD5

728dc8aea895ebf6c237f4ef6a01b716
SHA1

0f8abb81b089a392ac5e9782ff92980f14eb5e71
SHA256

88ac4586a3dd2af385bf891f613fb2d988e61f8e7abf7dcd112e69bbc24d57c8
SHA512

dde4466010931ce1257f7bf6a8a527a1bdb58a6cb13c3f84f8e3f89f07a185dff07c3620da1111cf87465cfd89fec8729e49d66b5ab10198134714a7c25bec38
SSDEEP

196608:z0uFh7Tn61W903eV4QRBtpDjIIAcwD0RPIvvk9LIiQ:fh7TnwW+eGQRL9jo0Jk

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 20 IoCs

pid	Process
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe
4440	ipstealer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	ipapi.co
27	ipapi.co

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4440	ipstealer.exe
4440	ipstealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	ipstealer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4440	5048	ipstealer.exe	92
PID 5048 wrote to memory of 4440	5048	ipstealer.exe	92
PID 4440 wrote to memory of 2600	4440	ipstealer.exe	94
PID 4440 wrote to memory of 2600	4440	ipstealer.exe	94

C:\Users\Admin\AppData\Local\Temp\ipstealer.exe
"C:\Users\Admin\AppData\Local\Temp\ipstealer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\ipstealer.exe
  "C:\Users\Admin\AppData\Local\Temp\ipstealer.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SYSTEM32\curl.exe
    curl https://ipapi.co/latlong
    3⤵
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI50482\VCRUNTIME140.dll

Filesize
8KB

MD5
796c59d376a5e7e62fd33412305fd435

SHA1
bd9101237766b4fc02e47f94d21b035ee906ed90

SHA256
027daa33efec21098f0bd32470138368d9c5e140d878a39f29fb4a3323dbf547

SHA512
497af737e8eaeccd7c191b25530e990e78ae5985d35b6f32597703828a650e72f3f9fee9ef5e7a0bc080dfbf0ad3e28b614f9a739e2e1ac07c18e4344d6de7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\VCRUNTIME140.dll

Filesize
9KB

MD5
3844a2bec31059dffa2fed40ae4ba742

SHA1
52d22d1a068d2e4a00933f94914cfc0ec2fe384e

SHA256
58eaf2a892fb022ff3657d21440300d419e459d97120e3237c1bd20816f77982

SHA512
00eee99d52411621ac87af501d9c662387b8abfea185c25aa65638fb19ec2594f9c55a738ee773d8029a7c35348bfecef816c34831acaf1183b5f45adac3a4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_bz2.pyd

Filesize
68KB

MD5
e8296410a4f69b67fb3ba8fa26080b88

SHA1
c69ce0b4bf9471bae6e4a7fcac61abf01d3c121d

SHA256
d68f13cf5c840d533ef52a7fca579b3c7a628a68b0777adb80102a011f7f2bb3

SHA512
1f4d26b8e50173729312baf99e923e7465e4e863a23b56091c386fed40502871365631637c740f32fdbbbd34a50b96407af9d687b7c2541a47a129c4f8ef1ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_bz2.pyd

Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ctypes.pyd

Filesize
81KB

MD5
8f072207fed390d092e8c12972c16933

SHA1
022f57877f1b7a1ac710d7aa1e780703f457eec3

SHA256
a7fea6841c3e2dec9ac32ead5a137e2490e01d4ce73427e1cdee8176b49482a6

SHA512
19915ef1e3019d64585ad0e2c4bc4626a14a3285de25bbb12e423d8046b6da8c4bdf100aa9ce63525e583158ade48dc8ee76072831447dd1822dd93f313419da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ctypes.pyd

Filesize
109KB

MD5
a1587efd138e698e65a3af272953f04b

SHA1
e54aca6275ab1dcf2a732e2d41b845a66b291cdc

SHA256
7fbc58f18b599dd7a0ce30693099ee42b40d5aa86d5bb3e4beb6695bf71aa42f

SHA512
ad1e609fa0a1c35c6369d392d3d40fbff506065d27a763c468b552c8ade3bc82ec4d970b668d6d63cc683579677f4e40f783677258a1d1bae3df292bdc9e4a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_decimal.pyd

Filesize
92KB

MD5
09d55a4f65c4053f4e5aab61c7bad963

SHA1
9b62e718930bb8b48d076d5d6cf79f4830682858

SHA256
f5a8a44f3ed1803a96a347580f6a744ea1ca5d0c392bb1afa33f374ab4b4042c

SHA512
d326a3a2ef53f6ad955218ca26747f12e05b801c41e3ed6f5a79271e314007577abf07195f1ceb01ebfdb2ba02663210b5683dd87410be7738980bb40ce5794d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_hashlib.pyd

Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_lzma.pyd

Filesize
123KB

MD5
fe88a021b411a71c2374aa3a03fb10e8

SHA1
ea1f22e1396a73daa47c18d7227dc5db8db3e3b3

SHA256
07ba5563bba71164c4ff2b1f049db4f6417119da67d2fe7850e086d248db5891

SHA512
c65e4226373fc11887a1d0c5e71759bc6cf96a307fb2939a5b640abb13da3eb997d77aac6bfbc6c3bc28dc40af08b060da64a2085c1c33def07785ea9a24bdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_lzma.pyd

Filesize
122KB

MD5
75dd9b8ec9e0c0e5c6f1d03020b31190

SHA1
549075015c7cdf3afd8e03d85f8d5ca246e3e3ad

SHA256
7413a122320e5a3a811b8b3b75f5a403ded2c22537d21ac4ae443f90901cd524

SHA512
70cb3d29721b3510eb38157298038bef4eec4f53fe2798f78205e8b0e78377cda8ea3c74f13e777c5b9db82f99e619f9e8cc1ffe5397e3b18172f654d1875425

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_queue.pyd

Filesize
31KB

MD5
6e00e0821bb519333ccfd4e61a83cb38

SHA1
3550a41bb2ea54f456940c4d1940acab36815949

SHA256
2ad02d49691a629f038f48fcdee46a07c4fcc2cb0620086e7b09ac11915ae6b7

SHA512
c3f8332c10b58f30e292676b48ecf1860c5ef9546367b87e90789f960c91eae4d462dd3ee9cb14f603b9086e81b6701aab56da5b635b22db1e758ed0a983e562

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_socket.pyd

Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_socket.pyd

Filesize
43KB

MD5
3e95ffd787208187ebc37e6ec061c2c8

SHA1
cee01cb240e1e0c8638f602785c2c5d1ae1d6307

SHA256
0e6ef8b41c8e00223566165826cf25466459bdceae09127e08d5f42bd38dc0ab

SHA512
0f5ddf018d8687304d04051501f577d697d3b5574e6ad0dadbebb92c538ede641760126057206a290aca8ce0373bf2c80c2dda00a45a06b7f55e87829137f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ssl.pyd

Filesize
173KB

MD5
9b4e74fd1de0f8a197e4aa1e16749186

SHA1
833179b49eb27c9474b5189f59ed7ecf0e6dc9ea

SHA256
a4ce52a9e0daddbbe7a539d1a7eda787494f2173ddcc92a3faf43b7cf597452b

SHA512
ae72b39cb47a859d07a1ee3e73de655678fe809c5c17ffd90797b5985924ddb47ceb5ebe896e50216fb445526c4cbb95e276e5f3810035b50e4604363eb61cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_ssl.pyd

Filesize
110KB

MD5
db57b8f4f8cc351d05da58462b999592

SHA1
5d49339d232e80d7382a46bc08f60cbbb7db8990

SHA256
6f0c14812d19896f22501b6957b5eadfc1fc4f4257e20cae40ff6c0ea20721c7

SHA512
12482d809ece63042660af4d24f7babf0a4379ce5e1a7873034a0560a3d8ea52eaf0c5fec31e5199b0fc1e7c7ac6017d9eaf908ddd9a3b1c9403052f5def7820

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\_wmi.pyd

Filesize
35KB

MD5
ee33f4c8d17d17ad62925e85097b0109

SHA1
8c4a03531cf3dbfe6f378fdab9699d51e7888796

SHA256
79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad

SHA512
60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\base_library.zip

Filesize
5KB

MD5
28f461b45cbb894648c0673fd429f771

SHA1
914d5e6aaa6044d911e73664bf143118d110c76e

SHA256
5fb7b7d90b3023858b24e047f1fd7b6b3c8eec84880671da3cc98431f7a7429f

SHA512
c8bb85b28df009aa577853cccfdefe25e2929c6dfb85919bf5b058471fd945673191fba097dcce45af7e255528d956a68433a903cb440a48e1f59f9911812cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\certifi\cacert.pem

Filesize
283KB

MD5
302b49c5f476c0ae35571430bb2e4aa0

SHA1
35a7837a3f1b960807bf46b1c95ec22792262846

SHA256
cf9d37fa81407afe11dcc0d70fe602561422aa2344708c324e4504db8c6c5748

SHA512
1345af52984b570b1ff223032575feb36cdfb4f38e75e0bd3b998bc46e9c646f7ac5c583d23a70460219299b9c04875ef672bf5a0d614618731df9b7a5637d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
93KB

MD5
8f9a3d8c0acf73aaf5dd1820f64dcb87

SHA1
a8ca5068e243ba8196bcf948bc6a3dbce474848f

SHA256
3ed8fd9425c8e67e5da89b24dc0042b938b7db80032d6c738410a6b5407d32bb

SHA512
54800ef15a7fb17dd35c0277d749a39937bd79885247fd27a145eb6b96552d0568b61b63d6c480e92fcff4e6110de1fa44ff3bde37478fd5809dee252155491d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libcrypto-3.dll

Filesize
250KB

MD5
3661480c45c28f640b67a686e0f2aa34

SHA1
95472226a6b643db19cf801490415b3afa99f951

SHA256
2238e9f612aab32ad2e8e404169a08ff562609ca3e5234369947fdb8a2de9037

SHA512
199a5d1da1c608e9b058cbcc099fb35e74a0c370ea27fa2120575a2dada5e6cac0ec4bf82aeff9ebc04a0902dc05969d2aa7addeef5aa2f44c82c14ef491d660

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libcrypto-3.dll

Filesize
86KB

MD5
5f1079f188d02d24c01d612ce8b45fd7

SHA1
2c2191fa853e9e14a24e0b7e825fff7f1ec16aa4

SHA256
617f73b3878a09b4bb252547d79e366f676238694bc14cc603d771e319bfd3e7

SHA512
32319784b13237001b80a88ffe3e74eff086b38c3c0e606f0e5f28d311f9d5ba5ed2f20124f1360575f4bda5e183ab73dafa00eb072c2d9b00057934b91bf8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libssl-3.dll

Filesize
157KB

MD5
d08b599a7f258c58c8763eef5863739a

SHA1
c7826a1026c9dfca2d2c5a6fc9aca95896cc8349

SHA256
345336a2a908a0b201967bcbc85a190e44a86881a9dfd609114001e3ab777070

SHA512
906d4c27a112f3dfa5909ff89a7ee2315e7a97390df8f81b9d62780547b0e4308c8f4ee5dabee2d1b9fb9c64069d2a2b21797bb2b7a59e6f1898f42c97cd7383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\libssl-3.dll

Filesize
117KB

MD5
b3ce76db63978dec5a0d5ca4bac65f09

SHA1
4bebf343fe3668e21761650ce5a602502d5832f0

SHA256
e7f26855187db479af8cc16d33129bdc9e38c220bda25bee8a84a4a3134c3dc8

SHA512
9fa45a843fed0ca205ea6e50c067ca55cad514202dafbc4d75cc53a062875efd0e974f58a70c1043c7a872f9cadf1fa70f5c790203f9ab2f7884cc8e73e548cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\psutil\_psutil_windows.pyd

Filesize
65KB

MD5
2c62184e46ecc1641b8e09690f820405

SHA1
953db2789d5eeab981558388a727bd4d42364dd6

SHA256
43e09408673687a787415912336ac13fcca9a7d7945b73d0c84ac4bb071e9106

SHA512
2df440a9bf87345a5a0727cf4ae68592b32324a3a4d4611d047fbca7984a9b8e55487d89e83e80df8e0580c2a1db26db9722dbf18d4b2c8fd2770a55309e573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\python3.dll

Filesize
66KB

MD5
77896345d4e1c406eeff011f7a920873

SHA1
ee8cdd531418cfd05c1a6792382d895ac347216f

SHA256
1e9224ba7190b6301ef47befa8e383d0c55700255d04a36f7dac88ea9573f2fb

SHA512
3e98b1b605d70244b42a13a219f9e124944da199a88ad4302308c801685b0c45a037a76ded319d08dbf55639591404665befe2091f0f4206a9472fee58d55c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\python312.dll

Filesize
1.2MB

MD5
df2d119dfc0cf8b8e1ea00f7d0806592

SHA1
904db205180e795dfe332501e824f8af5193456a

SHA256
20b9701fdfb4e3005f61637bc410c6cdd6e3b001440e4f6356807b7b46d7c371

SHA512
c76df9e6a8cf85f3b2ec6a7c7bbfb00765748a8ac1faa4444629e809a1b74812c2f130d81ea1f57f636d7b4932e8cf67715dd938c640136b63267b9f41cb9843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\python312.dll

Filesize
15KB

MD5
06cd2fd874bc6b4bcabe80b7c913c371

SHA1
f86ff50eed60f8b21509eaeabd4c4f42129aa9f6

SHA256
c32c1e84ae521cf50d508f298ff9fe31f146a066319977c992f8219e6e4062fd

SHA512
cd89c0d31bc5519fc0d7f32b9b84c3f81e870201b0c2ffc2fda429f2b41840d7dab6037de1d874cc8c176b63352e7894824225c04116eb683bb83de516e435be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\select.pyd

Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\unicodedata.pyd

Filesize
105KB

MD5
69a283b472d00f14b453e940e6022887

SHA1
0c0359b44db64a81fdd4d350bdab9e659e5b0541

SHA256
d00bb62ea8f8e8052cfd6272fcb804cfc84d00b2bd3404ed435016e94952d516

SHA512
cdcdc09edf0aeabcf63bd498583b147456a74f8f81ba437715162b11510977bc7334ab3a45a21613a9dda65f46b12351e8ed038cb7d00691d44b913a5e421812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50482\unicodedata.pyd

Filesize
76KB

MD5
2442ff75973402aa7f11e21f698bee04

SHA1
3d90f8ee054c44f7a4b05c095a9bb8e14c2f6a69

SHA256
bb52397dbc6ce8d5170b99d3aecc5e2351be8d98e4e5a0fa14965e1cb78cef71

SHA512
0f9f48a789ae2dcd7a7db7dac48c192d20f6aff0216ee9077b6eb39e3bcbcf0f691813caf7afa66076d5a820c2786be3e902607ca340a4b916b772e6f27644b9

Download Submit