e865b2737a522f2f287e30d743f46b84fee85d91b94ec2002ebd2c6deeac454c

General

Target

207bad266aa3ba40c90137c8be44c232.exe
Size

996KB
MD5

207bad266aa3ba40c90137c8be44c232
SHA1

adaaed88d37096a63355afd6ee1d496ae174d84d
SHA256

e865b2737a522f2f287e30d743f46b84fee85d91b94ec2002ebd2c6deeac454c
SHA512

22c9e2401bcaa0b995cc41854f747b2f4bc486e27ff2f493e4035a66f7e4a0bc234ac578081f392c7461e10602de8a9fded043a6527affe58bad584bb5e799a5
SSDEEP

24576:eNwtgyFEKZvazmmkbItE5oNhFNAwse7wHbvNZs:eNwtOEaimLLU3s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	autoposter.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	207bad266aa3ba40c90137c8be44c232.exe
2168	207bad266aa3ba40c90137c8be44c232.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2964	207bad266aa3ba40c90137c8be44c232.exe
2964	207bad266aa3ba40c90137c8be44c232.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2964 wrote to memory of 2168	2964	207bad266aa3ba40c90137c8be44c232.exe	28
PID 2168 wrote to memory of 2840	2168	207bad266aa3ba40c90137c8be44c232.exe	29
PID 2168 wrote to memory of 2840	2168	207bad266aa3ba40c90137c8be44c232.exe	29
PID 2168 wrote to memory of 2840	2168	207bad266aa3ba40c90137c8be44c232.exe	29
PID 2168 wrote to memory of 2840	2168	207bad266aa3ba40c90137c8be44c232.exe	29
PID 2840 wrote to memory of 2072	2840	autoposter.exe	30
PID 2840 wrote to memory of 2072	2840	autoposter.exe	30
PID 2840 wrote to memory of 2072	2840	autoposter.exe	30

C:\Users\Admin\AppData\Local\Temp\207bad266aa3ba40c90137c8be44c232.exe
"C:\Users\Admin\AppData\Local\Temp\207bad266aa3ba40c90137c8be44c232.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\207bad266aa3ba40c90137c8be44c232.exe
  "C:\Users\Admin\AppData\Local\Temp\207bad266aa3ba40c90137c8be44c232.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Roaming\autoposter.exe
    "C:\Users\Admin\AppData\Roaming\autoposter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 560
      4⤵
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\autoposter.exe

Filesize
55KB

MD5
41ecfae85ff1ee940b18c0e9cb6a53ad

SHA1
d42ae3f5273bbfd7963b07ee9fae51978306a66a

SHA256
1d52e230753e3015c089f6ba4e1820b1fa50957aa11aceb9ec5eabfd093af6f5

SHA512
8df9a343e28e6c54e9e1b875e2ec2214f2076c1e2b64150376797b4b96c156833a666ae6eb97f40ee97165297e501670aaf655250f8a179531dac6a9c331e929

Download Submit
C:\Users\Admin\AppData\Roaming\autoposter.exe

Filesize
126KB

MD5
b090e889be2378afd5776996496204be

SHA1
b274d94d04b89c5d0802af9bd98c407b3b9eedf9

SHA256
9f5454bcfcccbe79db373da1445adff7b6912734220b3737a0dd5f764fd13e6b

SHA512
31a92ad471a5965fd636c23290af134ba5430c713c3ca1dfa33e4a0b848229fc72477d7a27953b6625fe4cbafe509720dc7099678e25c33c0ed770964d1806ed

Download Submit
C:\Users\Admin\AppData\Roaming\autoposter.exe

Filesize
63KB

MD5
71866876ac85de8456fb69a264d39ab5

SHA1
175d0018422d83a562b9b1684c0ee0dd0d08d958

SHA256
b9ef0cec7c89fd2c212d31df97579a8d52fc7d0a7fa350ab07c5924bb2058082

SHA512
70454a77e090e523ac308cd9249175193c6954b6fbc21f2e7b919e9784408bb3c13045284b870425096991d90db55caeecb8b0bd2edecd0c799ea3031a99fd70

Download Submit
\Users\Admin\AppData\Roaming\autoposter.exe

Filesize
176KB

MD5
d75433dfbeb76ad8ff94b5e92176deb4

SHA1
d5fb91e55eff47d153725109fae3f1a17bd5779a

SHA256
d8b953278b27c1df8039c1f8a95266551c3d7fc715a0aae80bee4485242601fe

SHA512
a4f1988294afa3dc95c2ddccb0cbe3c5a8ceb75960c714aa8e76ca6090d2cd106ca1aca1d535d0b340468e6225f60b5be4e22ccdc6d511529631a7cd2e360afc

Download Submit
\Users\Admin\AppData\Roaming\autoposter.exe

Filesize
51KB

MD5
4a448ba7381acea6ee71d91a1b053ad0

SHA1
b0f26ec98d5df15e1ee5137d4b587aedccf4072e

SHA256
de4912f58a7748c12f210bc20f3aaa1b925b3aca75a480688ac34f17800d2a9b

SHA512
af38107a4f0ecf4ece66c1657637b7b7748f1bc1c11cff04dde83e45933c45c6334267dac32dd89647947e8dc95697977f1459e43b01b9d0f988c6ea2eebb0e7

Download Submit
memory/2072-70-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2072-65-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2168-19-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2168-8-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2168-3-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2168-5-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2840-63-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2840-22-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2840-23-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-21-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-64-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2840-66-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-67-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2840-68-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2840-69-0x00000000021F0000-0x0000000002270000-memory.dmp

Filesize
512KB

Download
memory/2964-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2964-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing