5249a6c3b628626cb9c02b767a249b2422ebf3525ef6fadf668d2f68009c5baa

General

Target

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe
Size

421KB
MD5

10a331a12ca40f3293dfadfcecb8d071
SHA1

ada41586d1366cf76c9a652a219a0e0562cc41af
SHA256

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f
SHA512

1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399
SSDEEP

12288:jh1Fk70TnvjcL8o0S86aZ+ldnqA1W0PeF7H:5k70TrcJX32ih1Re7H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3992-0-0x0000000004A30000-0x0000000004A84000-memory.dmp	net_reactor
behavioral2/memory/3992-6-0x00000000050F0000-0x0000000005142000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation RegAsm.exe
Drops startup file 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe
Executes dropped EXE 1 IoCs

Processes:

qemu-ga.exe

pid process

4760 qemu-ga.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

pid	process
4760	qemu-ga.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe

description	pid	process	target process
PID 3992 set thread context of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

3584 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3584 RegAsm.exe

pid	process
3584	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3584	RegAsm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exeRegAsm.exe

description	pid	process	target process
PID 3992 wrote to memory of 2236	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 2236	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 2236	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3992 wrote to memory of 3584	3992	b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe	RegAsm.exe
PID 3584 wrote to memory of 4760	3584	RegAsm.exe	qemu-ga.exe
PID 3584 wrote to memory of 4760	3584	RegAsm.exe	qemu-ga.exe

C:\Users\Admin\AppData\Local\Temp\b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe
"C:\Users\Admin\AppData\Local\Temp\b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
    3⤵
    - Executes dropped EXE
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/3584-25-0x0000000007950000-0x00000000079A0000-memory.dmp

Filesize
320KB

Download
memory/3584-41-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3584-18-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/3584-19-0x00000000055F0000-0x000000000562C000-memory.dmp

Filesize
240KB

Download
memory/3584-27-0x00000000083A0000-0x00000000088CC000-memory.dmp

Filesize
5.2MB

Download
memory/3584-26-0x0000000007CA0000-0x0000000007E62000-memory.dmp

Filesize
1.8MB

Download
memory/3584-24-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/3584-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-20-0x0000000005630000-0x000000000567C000-memory.dmp

Filesize
304KB

Download
memory/3584-14-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3584-15-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3584-16-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/3584-22-0x00000000064B0000-0x0000000006526000-memory.dmp

Filesize
472KB

Download
memory/3584-21-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3584-23-0x00000000065D0000-0x0000000006662000-memory.dmp

Filesize
584KB

Download
memory/3584-17-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/3992-1-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-13-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-10-0x00000000025A0000-0x00000000045A0000-memory.dmp

Filesize
32.0MB

Download
memory/3992-0-0x0000000004A30000-0x0000000004A84000-memory.dmp

Filesize
336KB

Download
memory/3992-5-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/3992-6-0x00000000050F0000-0x0000000005142000-memory.dmp

Filesize
328KB

Download
memory/3992-2-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3992-3-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3992-4-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4760-43-0x00007FFCD65C0000-0x00007FFCD7081000-memory.dmp

Filesize
10.8MB

Download
memory/4760-42-0x00007FFCD65C0000-0x00007FFCD7081000-memory.dmp

Filesize
10.8MB

Download
memory/4760-40-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads