crealstealer | 6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122

General

Target

SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe
Size

13.1MB
MD5

ffad668e3893f27d0011b0acbc580477
SHA1

23ec45c30d56f48fd70ce794c4ffe8df53d0fc93
SHA256

6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122
SHA512

1930ca8726f0fa9435f84f484dc99d3925308d065a498270fa427241134bbf99d0bba3e58baea71a982a3c585014f4957acaa97a0aea343157cb14ca3a3080ab
SSDEEP

393216:SO+TZ1nFOl+bzkCu1tsTmtCyJnQYSvWXr/:SlZ1nS8Du126tCmb

Score

10^/10

Malware Config

Signatures

An infostealer written in Python and packaged with PyInstaller. 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014228-88.dat	crealstealer
behavioral1/files/0x000c000000014228-90.dat	crealstealer

crealstealer
An infostealer written in Python and packaged with PyInstaller.
stealer crealstealer

Executes dropped EXE 1 IoCs

pid	Process
2460	test.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe
2460	test.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2364-3-0x000000013F180000-0x0000000140A04000-memory.dmp	vmprotect
behavioral1/memory/2364-36-0x000000013F180000-0x0000000140A04000-memory.dmp	vmprotect
behavioral1/memory/2364-140-0x000000013F180000-0x0000000140A04000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe
2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2460	2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe	29
PID 2364 wrote to memory of 2460	2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe	29
PID 2364 wrote to memory of 2460	2364	SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe	29

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\onefile_2364_133532833899086000\test.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Stealer.38408.30550.27254.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2364_133532833899086000\python39.dll

Filesize
4.3MB

MD5
2135da9f78a8ef80850fa582df2c7239

SHA1
aac6ad3054de6566851cae75215bdeda607821c4

SHA256
324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3

SHA512
423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2364_133532833899086000\test.exe

Filesize
7.7MB

MD5
78d3cd14c1fcbd2f6cc7514b76f5e0ec

SHA1
eb41f5cc457ce2c3357a2036c09430070f59bb4f

SHA256
c1b5f7e54f4226981c0f8af5e13f7c8c0faade9aaee7fbcc6b75bd6cb01c8efd

SHA512
e974dfe29006684d0e4f842ed0f23df2391626dbe7dba0129230ad7368a95f3ffb475daeea050dc35216ef0e7208c37f9652cb76fe5873e157e785e699bc36c2

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2364_133532833899086000\test.exe

Filesize
7.5MB

MD5
7255ea73a7cc8280091301dd9e6c0806

SHA1
b9d9dc1e59059f50c263ef40c399c0183042c3d1

SHA256
1cd318d987a414424f6d480a892553cb4eedfca39cc97c9703953ee3e4347cd0

SHA512
1f4e7bc42b37f1537184af898af033b28f1fe4560b4fe44d25fc7a330d266dd86c3873bfd0ccac1cd8c6c51c149f15aedf032e8a32b7c5db121adaf1ff9415ff

Download Submit
memory/2364-20-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/2364-25-0x000007FEFD400000-0x000007FEFD402000-memory.dmp

Filesize
8KB

Download
memory/2364-8-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/2364-10-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/2364-11-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/2364-13-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/2364-15-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/2364-16-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/2364-18-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/2364-0-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/2364-23-0x000007FEFD400000-0x000007FEFD402000-memory.dmp

Filesize
8KB

Download
memory/2364-6-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/2364-28-0x000007FEFD410000-0x000007FEFD412000-memory.dmp

Filesize
8KB

Download
memory/2364-30-0x000007FEFD410000-0x000007FEFD412000-memory.dmp

Filesize
8KB

Download
memory/2364-31-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/2364-33-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/2364-35-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/2364-37-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download
memory/2364-36-0x000000013F180000-0x0000000140A04000-memory.dmp

Filesize
24.5MB

Download
memory/2364-5-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/2364-2-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/2364-3-0x000000013F180000-0x0000000140A04000-memory.dmp

Filesize
24.5MB

Download
memory/2364-140-0x000000013F180000-0x0000000140A04000-memory.dmp

Filesize
24.5MB

Download
memory/2364-141-0x00000000772D0000-0x0000000077479000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing