31695c4eadcb4ed864f0ae142039d83f301d70de6744c9274a105f8655a9e526

Analysis

max time kernel
0s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d496a48e22ef07bf6bffa5887fd7622.exe
Size

313KB
MD5

6d496a48e22ef07bf6bffa5887fd7622
SHA1

39e73c31d770ad6d5c9780f3bf1f53946f05b4bf
SHA256

31695c4eadcb4ed864f0ae142039d83f301d70de6744c9274a105f8655a9e526
SHA512

214cd20802d51e38e159da3f3b4b3f3461a55b06b0c8ab8c5444b633fdd8f3582ed1895efc656fefcf2015df5ba3a3bc268b86207bcf29c9abea03e8501c8794
SSDEEP

6144:91OgDPdkBAFZWjadD4slybOoG8l0hDn4jmfAcxniZmcP:91OgLdapCki4jbcxnsZP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
396	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023215-32.dat	nsis_installer_1
behavioral2/files/0x0006000000023215-32.dat	nsis_installer_2
behavioral2/files/0x0006000000023215-31.dat	nsis_installer_1
behavioral2/files/0x0006000000023215-31.dat	nsis_installer_2
behavioral2/files/0x000700000002322e-100.dat	nsis_installer_1
behavioral2/files/0x000700000002322e-100.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 396	1136	6d496a48e22ef07bf6bffa5887fd7622.exe	19
PID 1136 wrote to memory of 396	1136	6d496a48e22ef07bf6bffa5887fd7622.exe	19
PID 1136 wrote to memory of 396	1136	6d496a48e22ef07bf6bffa5887fd7622.exe	19

C:\Users\Admin\AppData\Local\Temp\6d496a48e22ef07bf6bffa5887fd7622.exe
"C:\Users\Admin\AppData\Local\Temp\6d496a48e22ef07bf6bffa5887fd7622.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\bhoclass.dll

Filesize
46KB

MD5
d7a0ccb43037a7d1f4224f83bcdaf695

SHA1
7e78455db81547b026712176b79dec95ec054fde

SHA256
285423127153788b2e6acbd1772e51ec728edc0087942278ce2a9240342428b6

SHA512
743d3464dcfa5e61aeb773eba090205ea66a8919399b73c03643d7397899c85ca249eeb65af818a4fb69d3b3d92daf3c76e469bac8d014e9d3aa784fa10c3bf0

Download Submit
C:\ProgramData\wxDfast\bhoclass.dll

Filesize
84KB

MD5
793ee57de61419e4e552e7cf6294dfa2

SHA1
540d14477988b5cb7fd93ee40883bfcb225d3de4

SHA256
8d8f11a6c6edacf4344bf5b624c9a1ed4b248479a2ac9ed2515e9a861d32eaba

SHA512
b026ab2816e3e649fa49863e5226f3fe8170becc580efd790bbbb73b068a29733a6204d961a6b40df465e27a6261d475f01091117ca3d7936a0c6d047bb17895

Download Submit
C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
411ee2282085a7353daaddaaf1934224

SHA1
0a55a86fb9b3dd1c6d635d3197bfc6b6a75275ea

SHA256
789ce62d41f90b7243ca6ded6f452df229670c1a81b91a50009eec062c50a1d8

SHA512
cb5d44d3ba9af809d9f84df8f2077ac6009bbca734476685ec5489ed50641e9ea094ab5b0b31a173ec6f7902b8b3b93a87540b97d91c7f8b79a7e51770eed39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
2854726360062dbd9841a46c83f66316

SHA1
f4f8cce115db76f19bdb33d6715c6b92bd981929

SHA256
3ae42718ba4659ba1f8bff290491a5cb50901377287cba92e9fbd2436c7a498d

SHA512
9a2ae767be1c959cca5c6f93c47a3513a1a044a2f4b615848a023f11bdc88f3e48594243f4d5234f5fcdd7e2fb407fe64ea31f3a91144706ad688ee92595038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\jquery.js

Filesize
36KB

MD5
b5d28fdffa24d30e7511c53b1912fd87

SHA1
c84babb60b28a9604c1475ca936c3218e28df022

SHA256
ae52ddabf446a35e617187a46c2b513f0cd94413cdbbadb614340afd135ff873

SHA512
7acbe379f9c0f354fd5efefd7763b5f76d2a71512ec9dd9334158904cfee9f350e94e092be02d3c99d365a753a9f98abeaebaf534f9bb66863da6f49da30b9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
ce8d7aff97c189ed59eacf01b9bebffe

SHA1
d116a6c69baf75790f700e60d65154da430c431a

SHA256
d0b8e3799239a91ebfa646cb14af4294ee62fc45e8d03829e003d4b8bbfb098c

SHA512
d024fcd7a7142e877684e1158d236c7703ba8ce997c0f93478b7c75bfeb1ac70169da6a51f54c26bac05aadb27c49fad98de7341648eee95fac31d88ea774543

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
76a70d1467b2f8d2b5b07fbd591879ea

SHA1
3a0b95fa4f341e51e44c5b8e427686a13f7b32da

SHA256
8a01044256253175e3acf4f81975acf359342f589a77dfa0a654849e1edb74c2

SHA512
edc9b0f9cd6e6e85e5eb038b7c1d267f95868287b9f0ec548578ddebd55b6400ede4551d970e29459499555480071d64cee7ace921493e8c551eb37101848944

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
4389c8abbe0fe74b45dd9a916a885d3e

SHA1
638a3fad1bd92182f9e73300987dc1ebbd006485

SHA256
457aed42113ddeba7e9e7e45f7b1e599f2d9af748a76106443104db8fbf9b63a

SHA512
1a70ad78db3d9acb596793d0ffa1e93e312be0c3983e930eed4383c2fa6776646fb2a1312192c9e0ec6c4bc447000e0eb965501f4aaec175d7748d886159caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
85e638bff1c3b0368f21f70ecfccefdc

SHA1
7db078d0d53a8c5dc2c84b83b00e95836cb4d40c

SHA256
f6f1c9142e3a25c8e56fec3830dd3fe31e6f7a9f2cc5dda5c36214ff124def4c

SHA512
dcfe97f9efd39d1fce254ad0c6ee863a7b091670aba5df1a302a9e9b63f431298d7fa09442bb7bcff75c1ff724c6695603ecebe23bf20c9061c061909dd98155

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
94ba09115f9c7221084b4e20ffaa11ee

SHA1
f543cbd0f632b11bb0927cac42b333861606f822

SHA256
514ae9ee3e40a924f5d4b13df1bc485f776be8c1237d0e5bbb61b58695cdf1fb

SHA512
95c0083b0253859ea5afef37aa5bebf7f301f40a41e69e8386e970be7a5692a12b9721b46eea9d07816cee809f8bd4937625d6a02eb68602259a9516b8e0347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\[email protected]\install.rdf

Filesize
677B

MD5
61f11c7ca10ba23b16accdcf77a94212

SHA1
3b9500b2bb9018af152c850895a32632c40eac34

SHA256
1fc307e48bbb1ac01ecc3b91bd131c207aedf44bb191bdf7645b7b24634f7e81

SHA512
452682d5fcbfb029dd68fdd5a0fcfc3bf68783bc177b2c4dd515b924fde1daaa331c280ff6ed511b5b0147a063925baf86c0e56cb517089e3ccbc8dd3d05b849

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\background.html

Filesize
5KB

MD5
6087600928191f9fb7cb94a210ffc571

SHA1
18f95e760d1f28b73865d36d5430865de7fa6b97

SHA256
e81f26b59cb6ea8cd46199c57a88e38a032705d7dc06572db7cb07b8ea95ec35

SHA512
825ab03050c941351ad051e5a7cf83d4a73b0832950fe2f63fda1dfd6c92ae7b1c2e174cfad37cb416c4f48d8d4ac1d6b19bfc41efe81a49a7b837bc91a194a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\bhoclass.dll

Filesize
76KB

MD5
27cd6d12ca85a05ce7fffcb66ddc6241

SHA1
ef428e152f8f55eea8f7103faea492e915419d4d

SHA256
370a90e0450cf0c193da1bd29bc5e978b0c166007cbf911e4cfeb47dc78f134f

SHA512
eff612d2c1478949167b7097f0a344fb1ab1a233fe5ff7c77875ffbdbae8c601312241b6b533cab77919b3776af2666abcab0118a52a1cb80d3a84225f0f3e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\content.js

Filesize
385B

MD5
e5f6e3036a1823858c56688645578c3d

SHA1
41350e7bfb9beeed6446a9641536f9bccb35d581

SHA256
3a60704218d0596690017a34e7dc068cdbdcb62ef48937d26188185fad53360b

SHA512
9256c29395e51fbbfa7d7c821c903beff5b3f59da6a779dc22be67ce2d8fa53b023d1e51315cb82bdc0811e9c034f18f9090e308980a2bb9a5b2dd3aa2bb8349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\mekkgofkidgakmiekppfijplmhiglacp.crx

Filesize
37KB

MD5
4cf1005294c2224330218c59094c61b7

SHA1
9829dcd9a3aac65a312ecd93e6a834a6e6b05fa6

SHA256
ffdf2cf87a72ac69b467fc82f48fcd2f3bcc468663200045c72a7919ee35d8a6

SHA512
cbc5a69a430829d3763cbb45b62a66307f6b1c866be8fa9df10af27fee402a3ec669f13d7bc120e7340e5be9f7966833cbb3da0b7df3bf73dc83b5f729719397

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\settings.ini

Filesize
599B

MD5
a57a006c151cfdb4fbf080bccd38e688

SHA1
b7693edc274e1cadac9bf466d4d72e1d53c484f4

SHA256
1e73e96ec253f5385562ce516d7848a07ab4dac4cac7dc94780ad94a4bb39908

SHA512
933b79d952b255aba97350fc1ea0e0f5c62da09be85e1e97e0ebfdb677d9a8f1e8bd20119562435f0ede3468cc4ddda8f5cccd4b8e89fa4c1c5f8611972dea0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\setup.exe

Filesize
42KB

MD5
af4e8eae29958f7f72b4723ab10a8751

SHA1
59d62828b7a928a460fb93ec7688c0b32b297cd6

SHA256
4a8ce4c063a3f7916fa47e58f64b6522d94570161f206f641e287727db2a7149

SHA512
b0e41c14aedfa95f10ec0025a1a104869b09b014b11882f240f7f8b7b7bc94702038b0df8fc3bd227f5f7beb1bab0203116fcde4840e95b111a678a62d534860

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3B53.tmp\setup.exe

Filesize
44KB

MD5
2b0c748057f04331eeda0986fae40a33

SHA1
f59a18f8244b690c71b474abe903cc3d8cbb196a

SHA256
9cda200d782331d8e221a1d59764e32f5c5208a49d8c30d1974fdfab118b7e44

SHA512
06c321a7b9465e50d522c45d9a908a145bd3d23364e9dbcc2b7b0afb600d36f872884fde5ca43bd6dd6bac6d06fb79166be58a6ba98af78658859ff164a976fb

Download Submit