4771e5eedbaf4e273902971498a98a0caf93c34117dae57576d31183144c8c4e

General

Target

Creal.exe
Size

19.4MB
MD5

dd53ed3706c2430bc5e8a338871db91a
SHA1

93ab5025b0602b1d3b8e0ebf3a8a97457b2c639c
SHA256

4771e5eedbaf4e273902971498a98a0caf93c34117dae57576d31183144c8c4e
SHA512

b5d159d596493d6b555a963f351cf9e67c2145c6ff1af7a1621fc12fce00c3559be52b8cba984b3948fa3df215721374d988817356caa4ccfcec0b0a940c1d35
SSDEEP

393216:REkZQtsrr7M5livQETSrvJQnqOq/rx7zdCyd06:RhQtsX7M5lmQEWrhQAzi

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Creal.exe

Loads dropped DLL 47 IoCs

pid	Process
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe
4128	Creal.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
19	api.ipify.org
33	api.ipify.org
64	api.ipify.org
71	api.ipify.org

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4552	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	tasklist.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4128	1184	Creal.exe	28
PID 1184 wrote to memory of 4128	1184	Creal.exe	28
PID 4128 wrote to memory of 1512	4128	Creal.exe	35
PID 4128 wrote to memory of 1512	4128	Creal.exe	35
PID 4128 wrote to memory of 2672	4128	Creal.exe	33
PID 4128 wrote to memory of 2672	4128	Creal.exe	33
PID 2672 wrote to memory of 4552	2672	cmd.exe	32
PID 2672 wrote to memory of 4552	2672	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Creal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Creal.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1512

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

Filesize
92KB

MD5
d9e62b5343baff0f57b890bc27c15e0c

SHA1
00f70a46346e89113244baac027f5803332fe2c6

SHA256
db39187102efe100015cb59dc74864e98dc9842c4c24502f7eb6dc59f1a52c9a

SHA512
7821e2ef68d56816f8dde666c3185077ad5bfe1ee7bdd292c13b7076021b8bbcec3dcf492f36b08da31a6e7881e7d63b1a32c015b3b314f398011ec8cd0386d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python3.DLL

Filesize
65KB

MD5
b711598fc3ed0fe4cf2c7f3e0877979e

SHA1
299c799e5d697834aa2447d8a313588ab5c5e433

SHA256
520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a

SHA512
b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python311.dll

Filesize
425KB

MD5
48c33f2967bef45196871f8ff4b09ca8

SHA1
5e29cd4e387824b67991d1c539e3e510f1c164d8

SHA256
ab47d61b2968e92d362e85c05e5fd453fafba00883ee68d16ed73d493d9172ae

SHA512
66c1ba9a97a163cd93cb61159790a454e654e7c78f563445e590ed7a73c9b965abfcad8d58c7ce5c73b8889979dda2cc17e9a2d113b3de662810574351cc53e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python311.dll

Filesize
445KB

MD5
f180f940464bffe58444bc8e7732907f

SHA1
7a45c350e4fdf31f876b8d51fdcaf30ab2ea49b3

SHA256
712c1a122d3c6d93dcace8942ec742d0c7a18e8c706d60a4d4da41f151eba48a

SHA512
9d3b8479af3d1d19a033dba0618857f9118001bfb33ae9ab3368fbb92328d359419fef7ca74658481c740625af55874a4aa6e2b005a73de7865a16b72af77841

Download Submit

Analysis

Sharing