7277bff77ce3de094150598446af2b0a3368866e0b1465abf3b43440fb72b3e2

Analysis

max time kernel
143s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 17:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

498c80b912743dc04330402da11b8f9e.exe
Size

5.4MB
MD5

498c80b912743dc04330402da11b8f9e
SHA1

1da2d57ba82376d105813898e9e770a55c13a108
SHA256

7277bff77ce3de094150598446af2b0a3368866e0b1465abf3b43440fb72b3e2
SHA512

f8ccda2466709293c74c8c571225f9092ade6172137714079beef63b2f6205dcc0872b062646ea2710470054da3e3f9a2398b4526bcb365759ec0a8db95c5b6d
SSDEEP

98304:u68hBwpzoLLJ3TbwaVvrZE0I8LrKI8F/Vtt1mIi3pRN8D8cXu21TbHcira4b+2Nl:u62w9onJ5hrZEK3e9tGPqKmTbHrW4b+a

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe
1796	498c80b912743dc04330402da11b8f9e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
10	api.ipify.org

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1796	498c80b912743dc04330402da11b8f9e.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1796	1028	498c80b912743dc04330402da11b8f9e.exe	89
PID 1028 wrote to memory of 1796	1028	498c80b912743dc04330402da11b8f9e.exe	89

C:\Users\Admin\AppData\Local\Temp\498c80b912743dc04330402da11b8f9e.exe
"C:\Users\Admin\AppData\Local\Temp\498c80b912743dc04330402da11b8f9e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\498c80b912743dc04330402da11b8f9e.exe
  "C:\Users\Admin\AppData\Local\Temp\498c80b912743dc04330402da11b8f9e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10282\VCRUNTIME140.dll

Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\_hashlib.pyd

Filesize
38KB

MD5
b32cb9615a9bada55e8f20dcea2fbf48

SHA1
a9c6e2d44b07b31c898a6d83b7093bf90915062d

SHA256
ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5

SHA512
5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\_socket.pyd

Filesize
75KB

MD5
8ea18d0eeae9044c278d2ea7a1dbae36

SHA1
de210842da8cb1cb14318789575d65117d14e728

SHA256
9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2

SHA512
d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\_ssl.pyd

Filesize
92KB

MD5
965baae2077967c804f5b35240d74846

SHA1
4a4507c52fea7238eda63b76eb125e7090a0115a

SHA256
13acf852ba8f00089dd5a927a119d4729f9dd5ca15d77fa027c6357eb88ac4cc

SHA512
7b6c1a40725d62a1f9b3f795070ea01863e7a27eda5819fa65c1a321860fd29bf5dd6bee4bd4973fb1794e28ebd162aff13fbf40b90147f7423be6756e3017d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\base_library.zip

Filesize
760KB

MD5
d0d7afd942e32fc9ed6416d3e0d2e87f

SHA1
944e64b98b80bb53f1562fe435e428708305742c

SHA256
a158860800f5d831891b169304e908d65d6a901cfef9b713ca3617533186caef

SHA512
14705adb6710c9ad159a5a5d3502ae4419737f2cff57a9247429ac26bcbaddc3171429a958af1d4930eb75acf000aab373a5b3532876b7823f75181ad12bf5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\libcrypto-1_1.dll

Filesize
111KB

MD5
b195f3472b17e67fbdfcc0b405c16797

SHA1
16f088dfbce02bd8113ca717af5a53da5c955283

SHA256
cb68cfdc71a3df70915a83367c8f38eca6fc123a3014b9521ba24337aab0849a

SHA512
0197fad5e0276c26231471b086da8df3a3d919c4faa8f95f659da879c62b7aee9996f766f71304847218656be4ec577247eb3f1bc2ef468c8bcf512359803f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\libcrypto-1_1.dll

Filesize
382KB

MD5
912f9fbde8de6439334950bb4bdf6d83

SHA1
fdb4ed18276c79931e1d86f1c0e9ee492f2b1c9c

SHA256
535e6d332005ff16f618553751efa59257c481f73cbaf559328326104d2d5681

SHA512
c113c951aa9e9cca047b6d272d2305ac501196f2c8aa3c86dab2c11b66cae04683c37c8a5bf39ab76e11561f9d5d6964756bc8719fcce33b3d60b03a997e4822

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\libssl-1_1.dll

Filesize
92KB

MD5
b4525f4373c794196397b23e94fe86f8

SHA1
49ff3749b313517e727d555041726a1513c21f91

SHA256
b9fac0db48375e59cff74bc2da9b6270dfcdfcd422422fc59affd86fbc829c6c

SHA512
e77072bfa6058dc8a2ea64823e9505d0505825eaed961ae3d4e96b2b286c45aad51f2daec8dd5a4cf9e4aa8ce09ba5b66ac941916ddea56aae738d90945a74d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python37.dll

Filesize
1024KB

MD5
27ce768b0be398a88e3db890ddba64f8

SHA1
4f76d08a655be239564923f6c481731af1cbfafc

SHA256
31200339b9d1cad27cb2ddf8709bdcc7c911e883f03ae127a111e1e472317891

SHA512
3f94f2ec5bbe50e1761eb6b6fbe455c132b9cb6907a60e92ad09585aeca621124c60ebeae4b26a3ec2213e7f40af414543c2a736a253b1f7c6e4781f0b7bd00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\python37.dll

Filesize
556KB

MD5
141beeffffc2f3abe3fc16787d322a9d

SHA1
fadbb77e2f10e6c0354982275a703db63941698b

SHA256
8bd1c4b2ef25f25366dde9a3f89f3f9b522b0311d7a1239dc3e40a38c79752e1

SHA512
d31696f61aab7b44e0401c11e12d798543c7e8b06d6f358c8d24aeb5aabee12bc476fdbbb377e2e1312e937d95caab5dee430d506ad67d5a2945d61253dc709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10282\select.pyd

Filesize
26KB

MD5
fb4a0d7abaeaa76676846ad0f08fefa5

SHA1
755fd998215511506edd2c5c52807b46ca9393b2

SHA256
65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429

SHA512
f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

Download Submit