Analysis Overview
SHA256
86cdc5aac38ed2eba636fb2a70e384810f55590e8e6ca103a3e9099b58aa039e
Threat Level: Known bad
The file spoofer.rar was found to be: Known bad.
Malicious Activity Summary
An infostealer written in Python and packaged with PyInstaller.
Crealstealer family
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 00:15
Signatures
An infostealer written in Python and packaged with PyInstaller.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Crealstealer family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 00:15
Reported
2024-02-02 00:49
Platform
win7-20231129-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 2544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2372 wrote to memory of 2544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2372 wrote to memory of 2544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2544 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2544 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2544 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2544 wrote to memory of 2904 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\creal.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\creal.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 85b232070cdc12565bee9da84ab32068 |
| SHA1 | 2f819744718509648e8a1f3ddfb559041708e910 |
| SHA256 | 6b4398bc565c5069e55e90cd75185a3d4156216723f3ca15390750a65a785ddd |
| SHA512 | 65be36492f1cb8428e2a85af6b00fd7125e6fd9b5ce3f777cee51cd30b5800bad401cd2593da466362b629c87f1574e3ee7ff07597bc9e8811def689cbaa081a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 00:15
Reported
2024-02-02 00:49
Platform
win10v2004-20231215-en
Max time kernel
539s
Max time network
1173s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\creal.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |