Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 23:42
Behavioral task
behavioral1
Sample
1a69935073fb2ff90d74e75428854bf8.exe
Resource
win7-20231215-en
General
-
Target
1a69935073fb2ff90d74e75428854bf8.exe
-
Size
1.9MB
-
MD5
1a69935073fb2ff90d74e75428854bf8
-
SHA1
41abbb5100a64a9637cd5af6b678902baf731013
-
SHA256
3422b33a307f80a5dad2882982e061d1ed496f7a1b5c6541fdde8cbab133af7a
-
SHA512
cdf36b6ce52de3447154d64d3c3d180b8a540f51d2c60cac1bd04b440e51c1050cbb16a15935ffc5c1c2b93b0a4c3d26c0278c612f6171835b09bc650342538b
-
SSDEEP
49152:3eSgHKhG7DuyiTDi+EjIJo54clgLH+tkWJ0:upq47DfsibIFcKHgkWJ0
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2424-0-0x000001BB5E9A0000-0x000001BB5ECB4000-memory.dmp vmprotect -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 9 api.ipify.org 35 ip-api.com -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1a69935073fb2ff90d74e75428854bf8.exepid process 2424 1a69935073fb2ff90d74e75428854bf8.exe 2424 1a69935073fb2ff90d74e75428854bf8.exe 2424 1a69935073fb2ff90d74e75428854bf8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1a69935073fb2ff90d74e75428854bf8.exedescription pid process Token: SeDebugPrivilege 2424 1a69935073fb2ff90d74e75428854bf8.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\DebugSync.txtFilesize
277KB
MD533af2f2700e3e5802ba256caaab8603e
SHA1e907d7fba8994783bf8c8f3b438ec36e946f634a
SHA256e0c83ad2cf427393e9a3f676ede626559691adaf1c4434b045c981efa0a680a9
SHA512c66dce0f8766611ed9ba8a3bd636542fda21daa1c2706985ea591f96f149c0863a71383084bb3160c0ebde03dcb69cd3406fc0a5203e93229ca7a481eaf6eed6
-
C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\PublishPing.zipFilesize
134KB
MD5c3dbb589fc302e72f0025e286ef38af5
SHA14d24034f6b0b8f735255c14296933b405c35cac5
SHA2564cd81fbede1488b83f1816ac0236b57c2ecc1d1a5cb038bf06e264c2187f3f8a
SHA512c9c0c161eb15b81a35f87a4cdeaf4d8ebe4dd3b7b3f1a2dc48b966e94e6291ec83f9a2425b7be9a23fdd48fc1c7c435234b8c5fd9631a89d2c6f6f1102d625be
-
C:\Users\Admin\AppData\Local\FPBJu078BFBFF000306D20E224AB629\29078BFBFF000306D20E224AB6FPBJu\Grabber\RestoreRestart.rarFilesize
106KB
MD58c2177496f4350d2b45476c74bb0e5d3
SHA121153d1e10ddf9f4cf7531d2f54b3e142d14e684
SHA25661f64dfb7581e1bbacb37cf490ef53e872a235de821f8cb6f77e6538012b7235
SHA5127395413e44085718efd693ae1172ea619fbb4914b59963c3b9ce0a8b66994b14a1647deab65a30235d2f99abe93efffa5e4a2d92d96d51280c4fedec32fa13e0
-
memory/2424-0-0x000001BB5E9A0000-0x000001BB5ECB4000-memory.dmpFilesize
3.1MB
-
memory/2424-1-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmpFilesize
10.8MB
-
memory/2424-2-0x000001BB608C0000-0x000001BB608D0000-memory.dmpFilesize
64KB
-
memory/2424-3-0x000001BB5F050000-0x000001BB5F051000-memory.dmpFilesize
4KB
-
memory/2424-4-0x000001BB79270000-0x000001BB792E6000-memory.dmpFilesize
472KB
-
memory/2424-61-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmpFilesize
10.8MB
-
memory/2424-62-0x000001BB608C0000-0x000001BB608D0000-memory.dmpFilesize
64KB
-
memory/2424-73-0x00007FFBDFB50000-0x00007FFBE0611000-memory.dmpFilesize
10.8MB