b644c7d9f5fe0a180121273c422657140a8f50751602b10abf2da0d4f7559f21

General

Target

a0e88eb1e2a4129c74610a0013accfab.exe
Size

177KB
MD5

a0e88eb1e2a4129c74610a0013accfab
SHA1

0ebee9fec5fabadb8dfe52ed1381cae09125eb27
SHA256

b644c7d9f5fe0a180121273c422657140a8f50751602b10abf2da0d4f7559f21
SHA512

9c7db431dab9cf9d7917cc6b542500437c8b1c5b5362278d6a4bf333631963c01523774bc5a7bf3060a9aa26191a0b90351dc69a5c5228de2614a0280a3da8a7
SSDEEP

3072:CYk6dY7ufdC3nYXzowqCvcUzl1g9oGKanMqT7wV05AjNNUeLKDwkD3pVazBdyjid:VDYWCXYXzowqp0rg9LKanMqPwV05YOp2

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2496-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2496-9-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2488-87-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1480-89-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1480-171-0x0000000000550000-0x0000000000650000-memory.dmp	upx
behavioral1/memory/2488-208-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2496	2488	a0e88eb1e2a4129c74610a0013accfab.exe	28
PID 2488 wrote to memory of 2496	2488	a0e88eb1e2a4129c74610a0013accfab.exe	28
PID 2488 wrote to memory of 2496	2488	a0e88eb1e2a4129c74610a0013accfab.exe	28
PID 2488 wrote to memory of 2496	2488	a0e88eb1e2a4129c74610a0013accfab.exe	28
PID 2488 wrote to memory of 1480	2488	a0e88eb1e2a4129c74610a0013accfab.exe	30
PID 2488 wrote to memory of 1480	2488	a0e88eb1e2a4129c74610a0013accfab.exe	30
PID 2488 wrote to memory of 1480	2488	a0e88eb1e2a4129c74610a0013accfab.exe	30
PID 2488 wrote to memory of 1480	2488	a0e88eb1e2a4129c74610a0013accfab.exe	30

C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe
"C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe
  C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe
  C:\Users\Admin\AppData\Local\Temp\a0e88eb1e2a4129c74610a0013accfab.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CC7E.013

Filesize
597B

MD5
63d654c994d2612d6087972a69c8000a

SHA1
89057743424af1fc69534f56c58cfaf9e3852b55

SHA256
b04dbff4d25f8ba23db83a5ac8276818f8a7845a1150dbf181da9af091face6b

SHA512
933c2513e4f5f02a36421a5e958fff8be7db11d9f2fae5c3bc7fc2af1287a8939b0ad582f662e1e5c567ddf270d94e8a237b2898f9344bdf521ef9350309588f

Download Submit
C:\Users\Admin\AppData\Roaming\CC7E.013

Filesize
1KB

MD5
68503ae0c5bc17142aab515a86ef82b9

SHA1
78ac32b250b8ef2b07f8773cf7feb17432bbe9f0

SHA256
d55018b798a57c4287cdde76d9f765922631283ee69329b6a62ce461ece0cbc9

SHA512
a64bd273304c87da931797af7e99bc6951088b4ea8db563a47701cf7b7855bfcff2a50a7c14457097d9c9b6431d55ba211ede486d3d616ef5bf9385dd6341fa1

Download Submit
C:\Users\Admin\AppData\Roaming\CC7E.013

Filesize
897B

MD5
2c76cfd74d657a1dd948da5192546f33

SHA1
70af82cb3f6b8fedcf4a0e2bae0963f13a8ebe9f

SHA256
a341bd0b8df397882b31361e4c517c21fa884db3f7b8ae5b2a467a20ee8b99df

SHA512
8f53760b4b209118feeab61530695fdcb2d38eb38e70e2db7b48edeabf7d992e7375bfbb931b855072b8558966699c2c3fcb1524973098af634220fa604a9bb4

Download Submit
C:\Users\Admin\AppData\Roaming\CC7E.013

Filesize
1KB

MD5
41ac3a4210f921bee545cb3d2f0e198c

SHA1
8c27d5b0a532340a85049097d85c53b5d1468b8c

SHA256
4779c1e99d7fc87fd27a3e18a356dad02f8256cebdf8fba25c378e97a51723a7

SHA512
a551fb5c92a8eb92b402eb8a5ac82e00342fbe2d8ca72fe9f317b792d8283df1b2d2ae94e899f36240dbe15bb939b416cb996a3782603fee66d29986ce88841a

Download Submit
memory/1480-90-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/1480-89-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1480-171-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2488-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2488-2-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2488-92-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2488-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2488-208-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2496-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2496-8-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2496-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing