8c704dd49e9493c8629487e92adbe7d4794073ee19aa2bf0137b5646b1998056

Resubmissions

07-01-2024 17:58

240107-wj5y7sced9 10

07-01-2024 17:50

240107-we4kksbehl 10

Analysis

max time kernel
126s
max time network
91s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GENERATOR 2.0/GENERATOR 2.0.exe
Size

50.7MB
MD5

9224655def30664e25eb075940a4c6bc
SHA1

05bb602202941413b7544883f2bf19ac2ed8b517
SHA256

c3b66ee7b2bb35e24c67bf0fa8825a045b715c0050ba4fc2507e7c8d885a99b4
SHA512

bfbbcf2a551ce0e982385c07d7bb15e747fc647b5bbf5591ff413b4b9f17ff11cb361bc8831c436ba8c33f91cf68c092da5e67470d7876fdafd04037188cd88e
SSDEEP

1572864:7XGMK4XR3bLSCU/+6yPlhvhoQtHlBzW+eHfmmWu24HOGPn:7gYRPSC++6y9Ji46dn24uG

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GENERATOR 2.0.exe	GENERATOR 2.0.exe

Loads dropped DLL 64 IoCs

pid	Process
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe
2708	GENERATOR 2.0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
3	api.ipify.org
6	api.ipify.org
15	api.ipify.org
18	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3724	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	GENERATOR 2.0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	GENERATOR 2.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3724	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	GENERATOR 2.0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 2708	3804	GENERATOR 2.0.exe	80
PID 3804 wrote to memory of 2708	3804	GENERATOR 2.0.exe	80
PID 2708 wrote to memory of 4500	2708	GENERATOR 2.0.exe	82
PID 2708 wrote to memory of 4500	2708	GENERATOR 2.0.exe	82
PID 2708 wrote to memory of 4364	2708	GENERATOR 2.0.exe	86
PID 2708 wrote to memory of 4364	2708	GENERATOR 2.0.exe	86
PID 4364 wrote to memory of 3724	4364	cmd.exe	83
PID 4364 wrote to memory of 3724	4364	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe
  "C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI38042\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\_bz2.pyd

Filesize
82KB

MD5
afaa11704fda2ed686389080b6ffcb11

SHA1
9a9c83546c2e3b3ccf823e944d5fd07d22318a1b

SHA256
ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4

SHA512
de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\_ctypes.pyd

Filesize
121KB

MD5
78df76aa0ff8c17edc60376724d206cd

SHA1
9818bd514d3d0fc1749b2d5ef9e4d72d781b51dd

SHA256
b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b

SHA512
6189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\_lzma.pyd

Filesize
155KB

MD5
2ae2464bfcc442083424bc05ed9be7d2

SHA1
f64b100b59713e51d90d2e016b1fe573b6507b5d

SHA256
64ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9

SHA512
6c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\base_library.zip

Filesize
1024KB

MD5
79749a1e41fef633a1b187529341251a

SHA1
ab844e64dd5ca9fe7b596ad9ee216060223d7979

SHA256
431e7256133e6c5d08c78dd6643539a98fcabd2f4fa354da16ac1c80a8422c2c

SHA512
e7ecdb65c77072397789acaf76cea42f4c8573801018301d92b4ca151bb772c7292537954f5d096e55dddb4b2b163e54e679040fc7d5f177c43f61a4469cc9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\libcrypto-3.dll

Filesize
1.4MB

MD5
6be7268cd162432d93482dad64ea42e2

SHA1
57efd4d0a88f4937fb6c9eee46b767a5783af961

SHA256
ab8a7d8c1e5768275bfc3c3fff7a6649b13203c13984691b548c32547c0d35e1

SHA512
ba26b8098057d77f71f197aaddb6f502a6c884a39e5a155219998b43567a98d15a5c93122cc52372a47249a1bc54cf3de8fdaa8053999667d0a261425f824883

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\log5.png

Filesize
186KB

MD5
2cefa470e58a82a2441f5808baa2b0ee

SHA1
4e4a98e82ef6500a9e79e6c4b56c2b6a0a638e64

SHA256
8add5f11f0a1ef27f34a1f3f407a3afedc892c8f04870db4f89c0a3abc1114a2

SHA512
5840237b8d92c358f44db74492672694cc58bf0d609eaeb45c36825c5d586d652bd031b5fcafb6340ff9ea32a9238bba78256742493af8c7188877cd6ee6e5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\pyexpat.pyd

Filesize
193KB

MD5
bfe46323faea201f6d18d60723e06852

SHA1
f93afeebb3ea1e6d1cc8ab3618c9d4c88eaa7475

SHA256
35134cca2dcf7c2b7e592b677833322b6b72a6a88afcd3935afe5907a282e89e

SHA512
7342c309c98b7ef0d8e7d02e6a31afbd765b077b9061a185b160842b24af3fb629d5757001ae647b8c660defd41b765bbb6175cca431d569ff9bd580fd8f7913

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\python3.DLL

Filesize
65KB

MD5
ff319d24153238249adea18d8a3e54a7

SHA1
0474faa64826a48821b7a82ad256525aa9c5315e

SHA256
a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991

SHA512
0e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\python311.dll

Filesize
1.3MB

MD5
37061e9434e8b6ae44923993278e7de0

SHA1
9fa5431ed8254a6ae0a4cc52ab216b9d3751f2c2

SHA256
7b1e8ff0cbe2f9ba83ea246fda04f7d2e7c752df31d7e52b0ebc5460a810b772

SHA512
a04392e40f68a7098ac8ccdb51c9f0b209e5f870a720f94ac9d5059ce174ba5065dbc42be2e26f0fda57e925eacd4d30ecb8fb09a854b8ca722a99a970a6616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\python311.dll

Filesize
1024KB

MD5
7e1a80f2e39fb328be8f807d9e41c076

SHA1
1be0231ef28104bf9807c05e87544e9bf57ab994

SHA256
486f8633c10468ca63fb57b19f4585afad1d3ab022d5a91766c291f9122bc1b4

SHA512
d3457626f4f3542cbd5d521f0555ac3ee0cbbce0094a6949c0ca85316d5b3ba98e725f41e1cb9ca22bb1613f6962bdf52436cd934439324bea729cd5687c3d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\select.pyd

Filesize
29KB

MD5
0b55f18218f4c8f30105db9f179afb2c

SHA1
f1914831cf0a1af678970824f1c4438cc05f5587

SHA256
e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02

SHA512
428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\sqlite3.dll

Filesize
896KB

MD5
367d910255a1a2f290133cb54a8e7aad

SHA1
0e298309dcf014028a061a2da2e85fed6caaa3eb

SHA256
21ae5b3479c400ee40d620bb5cca8b2915f8611b2bd8de7cfe2605eca91c2ae2

SHA512
f1d46cfce07135f11a7cef97580d5278fb0d5be449eb053cf1bdb99d26eff3f7e800d3851f3cc55a812c6722ac6cba2c7b36980f058bf366f3ea7c83260ec9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\tcl86t.dll

Filesize
893KB

MD5
9dfbf07c3b3edd9889607b8a5d056d52

SHA1
1823120aff9793e99edb5e99b630ea9179014095

SHA256
eac5265c1ec590c4a5d2353dc1d7a39fd7c6070b90ff0677dc0def4bf283f675

SHA512
11aa376876a89b790690aca6ed5e766f0f9d01d1ef8650a194db94e1f5e3837a721392a06ecb2b24346d90f62b50def69d5fddb373f32b488046401a626f1964

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\texte.txt

Filesize
12KB

MD5
6f4b58496501defa12f7b9157ad57b00

SHA1
5f4bcc137fa31f6a07561c2d2e49071f39b5020e

SHA256
0c76cd2741c4d6bafe61ea83aa6a1e56439e6d319e537071506218d914933b22

SHA512
cc07c2205f389ffbef3327efc39e3830ca09f48870006c45a3902ac006b492a22a36dc4b0d5592e0a37e034d1a89f907c2a9af2cd8bd8435a112c2dc576f2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\texte2nomfamille.txt

Filesize
1KB

MD5
33640b05ccc550bd6825d1c00a2e5707

SHA1
5a630bd459997c46ca007c1650396fa95848cfcb

SHA256
cf7c92f4d07399d991126be0e770572cc7af994bac452cbd0dee0ba13aa41f39

SHA512
ef26e13b516a5dd57a4ed665ce5e9e2d73ab1cef256e46abf03231cce7b6b7627aa7bc5b24673e899e902e8cfee0f056cf5f9075f1c8f6a9f35ab508b8e6499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\tk86t.dll

Filesize
92KB

MD5
c5dc6abbdfcb1aa3738eba3c759242aa

SHA1
9f25b8aaf5d48d4a03096491da8b9834965a0bef

SHA256
fa6ddb5538d272d7e9cd5e9703350e8c145f3687bd68fd20ac748a6c15328ea5

SHA512
c65a490d978ee43976256ab0eb76f51abf9be02eb0ab50f33745631d955448d148046467c764303c15cdce463be6a59cdc2b367c80923b54165f9c4f1a476f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38042\unicodedata.pyd

Filesize
381KB

MD5
0566f33b2699e3638f7464835541a0d2

SHA1
b12adfe82e6daf074fd2a606f8b965e8e7223759

SHA256
5fbf75541035cdb990ce7819c5d2622d624aa71cca7aacf70772e243d85873af

SHA512
33943705f324e34bc96d38675bd4584bc39ad54e844dec08670e072889ba63fa4d08f38fedb5883db6b8b941147d9923c17774f285ad1c67c1bed487ba29c3ab

Download Submit
memory/2708-1205-0x00007FFE2B3F0000-0x00007FFE2B931000-memory.dmp

Filesize
5.3MB

Download
memory/2708-1208-0x000002CCD4DB0000-0x000002CCD4DC0000-memory.dmp

Filesize
64KB

Download
memory/2708-1207-0x00007FFE2A4F0000-0x00007FFE2A755000-memory.dmp

Filesize
2.4MB

Download
memory/2708-1206-0x00007FFE2CA80000-0x00007FFE2CCE3000-memory.dmp

Filesize
2.4MB

Download
memory/2708-1204-0x00007FFE2B940000-0x00007FFE2BE30000-memory.dmp

Filesize
4.9MB

Download