e1ae50e8c35c75322916d49196e42d957ef447e0f1f974d0568ce71a59d8bfcc

General

Target

1c1ff790794298309fc6d52e6cda4131.exe
Size

339KB
MD5

1c1ff790794298309fc6d52e6cda4131
SHA1

bbc17b40f69ff0c123fedcbf9cc9538e600634f8
SHA256

e1ae50e8c35c75322916d49196e42d957ef447e0f1f974d0568ce71a59d8bfcc
SHA512

eb64dbaf13ebdd144da7a9b7ebd45f09e544ada90e90973392b6ad3191fb894a22be54850b15c3d91338ceb0f7caae5016cdc6b28e190eab07985db8de7ec987
SSDEEP

6144:D7uSZ9QwNRcVJ1eGMwNTW7iKOFrbv8/tTg99dw/3QQmsgDlpI532YHXEv:PZ9L4PHginrT0299C/3QQnghEc

Score

10^/10

persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
hotdog25

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2444	TURSH Tool.exe
2292	yTArml.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Users\\AJ2\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe"	yTArml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers = "C:\\Users\\AJ2\\AppData\\Roaming\\Microsoft\\Local\\svchost.exe"	yTArml.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2292	yTArml.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2292	yTArml.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2444	840	1c1ff790794298309fc6d52e6cda4131.exe	28
PID 840 wrote to memory of 2444	840	1c1ff790794298309fc6d52e6cda4131.exe	28
PID 840 wrote to memory of 2444	840	1c1ff790794298309fc6d52e6cda4131.exe	28
PID 840 wrote to memory of 2292	840	1c1ff790794298309fc6d52e6cda4131.exe	29
PID 840 wrote to memory of 2292	840	1c1ff790794298309fc6d52e6cda4131.exe	29
PID 840 wrote to memory of 2292	840	1c1ff790794298309fc6d52e6cda4131.exe	29

C:\Users\Admin\AppData\Local\Temp\1c1ff790794298309fc6d52e6cda4131.exe
"C:\Users\Admin\AppData\Local\Temp\1c1ff790794298309fc6d52e6cda4131.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\TURSH Tool.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\TURSH Tool.exe"
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yTArml.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yTArml.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\TURSH Tool.exe

Filesize
187KB

MD5
6cf9a21b513cdf76d3b333c30ce0e8b7

SHA1
f00bcdd860d5c987f28ed15e6faf895c2dc56218

SHA256
1d38b499d1c046aed19279f332d96b64ccc47a729c5f6fe425b3d82fee430c26

SHA512
6dd0cb993e4866a90d4590e6c51633af0bf53621d85043b8f6df73ebee288c1ae384e93fde0dea8126e2828d2cb41e3948e959240f92f34c2bf5d87e772bf4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yTArml.exe

Filesize
56KB

MD5
0dd0d309642cb8ebf1e9a84b862875ea

SHA1
033ab351f19dd6cf3fe51546774adaa8686e858a

SHA256
42797508c8546eceb17db4052e6c0a5f993dfa68b80c73dda70b8867325450a6

SHA512
1bb0d9cc087168d4c2b39d1ceb8dcf0a19b90189df83122d8a8773246d4a3f2327a5d32f77f140a2e20da6dafa91cd42e9ba0125bc384a744d63d0ff358a4648

Download Submit
memory/840-13-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/840-12-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/840-14-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2292-18-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-20-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2292-24-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2292-23-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-25-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2444-16-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2444-17-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2444-15-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2444-19-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download
memory/2444-21-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2444-22-0x0000000000A30000-0x0000000000AB0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads