Analysis
-
max time kernel
1381s -
max time network
1172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
03-01-2024 19:57
General
-
Target
EraDebbuger.exe
-
Size
14.4MB
-
MD5
b6e1bef653b682728fc9b279f925dd24
-
SHA1
f28f7b3ef8a5ccac8116c7b9b4a3f5048685b039
-
SHA256
8781ca2d2cb19b24b8cbe5da23f8a640578f58e26259cdc68f7596446ffdbff6
-
SHA512
7952c44afd96e210118ac8e7755d487ec7580045bb3398c10c1419f2802a319b0dc816e1dc716daddfa74e74bd3d5e9e6a159bbb7b3f7028a79afcddc5454cd5
-
SSDEEP
196608:mXGX180pr0sKYu/PaQ+DuhfeidQmRJ8dA6lSuqaycBIGpE2o6hTOv+QKfwJSKfFP:RX7QMidQuslSq99oWOv+9fgSueK2+yw
Score
7/10
Malware Config
Signatures
-
Drops startup file 1 IoCs
-
Loads dropped DLL 46 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EraDebbuger.exe"C:\Users\Admin\AppData\Local\Temp\EraDebbuger.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EraDebbuger.exe"C:\Users\Admin\AppData\Local\Temp\EraDebbuger.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
-
-