ae4471b251799f00b46508e52475758f6ea3d8341a00cfd34a3da60913081272

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Creal.exe
Size

7.2MB
MD5

7e588baa61473b65785f3a5d06ce7405
SHA1

87984d1d3fd3bcabaab58cabb9a58a64b9407dce
SHA256

ae4471b251799f00b46508e52475758f6ea3d8341a00cfd34a3da60913081272
SHA512

2c7cbbf05b498c64d81d840732a0df993aec163c8a4f71cb5f3e40c083416a38c8fe7b5d2c37014f68bf9594759ca57e2ab86de29d2325ae7b4007562b455709
SSDEEP

196608:8CT+aj1rpnrJehwiIbZg4TIdQNm5XKCt7oQqLJad0+:8CT+aoqbCdQyftlqLJad0+

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Creal.exe

Loads dropped DLL 35 IoCs

pid	Process
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe
5032	Creal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
28	api.ipify.org
66	api.ipify.org
86	api.ipify.org
6	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4200	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	tasklist.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 5032	4852	Creal.exe	91
PID 4852 wrote to memory of 5032	4852	Creal.exe	91
PID 4852 wrote to memory of 5032	4852	Creal.exe	91
PID 5032 wrote to memory of 4584	5032	Creal.exe	96
PID 5032 wrote to memory of 4584	5032	Creal.exe	96
PID 5032 wrote to memory of 4584	5032	Creal.exe	96
PID 4584 wrote to memory of 4200	4584	cmd.exe	95
PID 4584 wrote to memory of 4200	4584	cmd.exe	95
PID 4584 wrote to memory of 4200	4584	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Creal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Creal.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584

C:\Windows\SysWOW64\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48522\VCRUNTIME140.dll

Filesize
74KB

MD5
31ce620cb32ac950d31e019e67efc638

SHA1
eaf02a203bc11d593a1adb74c246f7a613e8ef09

SHA256
1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf

SHA512
603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48522\_ctypes.pyd

Filesize
92KB

MD5
35dad85ef3614d77a993e31655822754

SHA1
aa750d5ce5ef1018c98db8ce0c943147f0c36353

SHA256
67f9d1f3a3cb059aadc2c558b5863e496f84edca1b49cebcf056232f0cb87e84

SHA512
d8c5bdf88294036aa0b429622eeca88d0befe8ddf969eee4951e0ebb1c808690a2cbb4ee4bf993ca73493bc2002ef17bba6f33d65876928c42268bcd62f3f19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48522\base_library.zip

Filesize
92KB

MD5
0ac583101a3f20afad581e027968154f

SHA1
30e6d6cf8d833dfc67a077033641e253109eda05

SHA256
466c3938a493244c4e81ea56b1993cb83518c8566205b94e84ff46c42bb7e399

SHA512
bdedb281fba350975b643aa7b0500899f7499f66d6d1ad8418d605e0e7e34c48359b9d07c6e3df94687ef4f76f83149b1eadc8a12eb4cce085841a6b639331b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48522\python310.dll

Filesize
1024KB

MD5
147653cd26e61994c11240f24f79b437

SHA1
521f30ed999ea2f5395d76c018c258243f1c0c30

SHA256
d404897448c5c1be79cb14b539e8b50334807560500a46b37afdff71a6a8fb5d

SHA512
13a32a9ca9be7d13b54405641b04bafa1e9a11bcff5b2e3a188869d3dae00e50fa327f95d502438b411008755375304d68874addd9a90b406929b2a4adf3fdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48522\python310.dll

Filesize
179KB

MD5
f64c70c315ae114cd0e3cb8ffe1416ce

SHA1
0bafd7e48ecd8194b738fb48f0d981343c59cbed

SHA256
1dfae7bed3b84acbf02bf769a3084dcf0eaf6c2961d32946c4ebe78b08fffa70

SHA512
959415bdc3a834b31a4b1e40382fb0fb5633cc653dee023599f1591055104874bf4a104eb9fb52d2f87f40cdea90bed973ae9a037f0304dd1cf5d27a2cff08c7

Download Submit