367e6943901a7a573bde560b7a97216af66ef985bd1b7c37a525c9c6fd3b8436

Analysis

max time kernel
131s
max time network
150s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
06-01-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4lexFckingC4cked.exe
Size

10.2MB
MD5

298004294ffdb857920787bb81effda9
SHA1

7239c9a132daf3a2ed11345772bb43c5fc9619d9
SHA256

367e6943901a7a573bde560b7a97216af66ef985bd1b7c37a525c9c6fd3b8436
SHA512

59162ec2f6ed1c523514fcc9da07fffd6394d3c6c7689bf36145fd3bf827fbc6dfa97a8b104dd394a549ddff5f2dd8eafc96f7532764e6a847070247d94f271a
SSDEEP

196608:E0EiIE7SRpoIEDn61W903eV4QR7MToEuGxgh858F0ibfU36e7mgABObk91tllWT:IiIE7YoI2nwW+eGQR7MTozGxu8C0ibfK

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4lexFckingC4cked.exe	C4lexFckingC4cked.exe

Loads dropped DLL 38 IoCs

pid	Process
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe
3820	C4lexFckingC4cked.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.ipify.org
1	api.ipify.org
3	api.ipify.org
14	api.ipify.org
28	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4104	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3820	224	C4lexFckingC4cked.exe	74
PID 224 wrote to memory of 3820	224	C4lexFckingC4cked.exe	74
PID 3820 wrote to memory of 1636	3820	C4lexFckingC4cked.exe	78
PID 3820 wrote to memory of 1636	3820	C4lexFckingC4cked.exe	78
PID 1636 wrote to memory of 4104	1636	cmd.exe	76
PID 1636 wrote to memory of 4104	1636	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\C4lexFckingC4cked.exe
"C:\Users\Admin\AppData\Local\Temp\C4lexFckingC4cked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\C4lexFckingC4cked.exe
  "C:\Users\Admin\AppData\Local\Temp\C4lexFckingC4cked.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI2242\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libcrypto-3.dll

Filesize
382KB

MD5
dbd8df9193c8a8058f5ccc8e8191912a

SHA1
0f880a5eb7cde4c13844bd9851334f99f191b170

SHA256
3064c6064d776b2efe46eb993cb75947bb1afcaf5486f26828af9b4b5788eafa

SHA512
56aac9baa11a02bfbcb96cf86723644718ded0c4ebe69d64f59aa8ff539adb216ed1b3035c4c31e09ceaaf23f7ea1a4b0f6f41d6b683d76671ab32322ec37ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libssl-3.dll

Filesize
381KB

MD5
737202f44c94472b2b4a412bb8376637

SHA1
32cc106bbc9c7fd5b55bbe01e54aea021e841c02

SHA256
871b75ee8d4daeea4812b382c6187971bede3f17f20e04ad30fde96ab5001f91

SHA512
ced30df6a11a7ea1dbb4ce662a0bb4067d5ec861d27d1b044d88d80bcaf8c5ba9efc965d70a8de8ad0fc4168f324c078a5a70df0c95d1ceade179a24e7999022

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\python312.dll

Filesize
408KB

MD5
6af5763e0ef6e5744ce90dc647dfd75c

SHA1
417628c60559976b2373dc78aff12ad2a17b50bf

SHA256
616fa87db15e383679e4826400e75a9639eb1b9ed047347541e2d0069e955733

SHA512
0074027f9b52e84d620447d673162eb97667df494438d3c1f4c6d1925c28fd49ce98c6fdf333750b2d7046898b30df433a518d6216d4c8d2eae0dcc5b6738246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\sqlite3.dll

Filesize
92KB

MD5
2b89a2f85875bcb8ce5999441cde260a

SHA1
ca5d04f931c2b41cd064bf43021ecf683aa8d330

SHA256
3020071e7ec01b39baa1496547735a83ab9c6b6716e01906866b7470dc70ffb8

SHA512
7fc28f7bf84765adb8117c6749575fff3200ac8815571ddb5f34148905d8cf13fab20aa99b70077e823ae332131be984388a0d3bb9c179ae03de0ec8b83a299f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2242\python312.dll

Filesize
2.9MB

MD5
0573f2c105e48fcbae27d4951f37b982

SHA1
b48cb04fd407b0d8311631d609dd6de9572598fa

SHA256
ba903817a680d8b6d5cd5573a650c8e30f006468b9ad3e0be6f8df98b188ae9d

SHA512
96b69e120daf63e0e7aa151f88f710d6674a6a123c97c527cd510d86f165988e4584ee2f7016a1497c900187a921fa845e615dcb981a1de9d22523d887d746ce

Download Submit