crealstealer | 3069064dcecc542ec9f3055bd523b76b75bf8857de4ed53033d2c3f1f2860c3f

General

Target

6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe
Size

13.1MB
MD5

ffad668e3893f27d0011b0acbc580477
SHA1

23ec45c30d56f48fd70ce794c4ffe8df53d0fc93
SHA256

6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122
SHA512

1930ca8726f0fa9435f84f484dc99d3925308d065a498270fa427241134bbf99d0bba3e58baea71a982a3c585014f4957acaa97a0aea343157cb14ca3a3080ab
SSDEEP

393216:SO+TZ1nFOl+bzkCu1tsTmtCyJnQYSvWXr/:SlZ1nS8Du126tCmb

Score

10^/10

Malware Config

Signatures

An infostealer written in Python and packaged with PyInstaller. 1 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012335-88.dat	crealstealer

crealstealer
An infostealer written in Python and packaged with PyInstaller.
stealer crealstealer

Executes dropped EXE 1 IoCs

pid	Process
2832	test.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe
2832	test.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1976-3-0x000000013F2F0000-0x0000000140B74000-memory.dmp	vmprotect
behavioral1/memory/1976-140-0x000000013F2F0000-0x0000000140B74000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe
1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2832	1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe	29
PID 1976 wrote to memory of 2832	1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe	29
PID 1976 wrote to memory of 2832	1976	6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe	29

C:\Users\Admin\AppData\Local\Temp\6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe
"C:\Users\Admin\AppData\Local\Temp\6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\onefile_1976_133533935577780000\test.exe
  "C:\Users\Admin\AppData\Local\Temp\6e0f22d3c54d7680dd7d1a284f546d509a25d4a0e00d534733d23649c1904122.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1976_133533935577780000\python39.dll

Filesize
4.3MB

MD5
2135da9f78a8ef80850fa582df2c7239

SHA1
aac6ad3054de6566851cae75215bdeda607821c4

SHA256
324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3

SHA512
423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1976_133533935577780000\test.exe

Filesize
8.7MB

MD5
41d138bbf8c88b768893f1e3780ce8ce

SHA1
f40316b43a5ae05a57912dcc3e2b85f8c13dd49f

SHA256
5792e9ff47f6406510f874b8057db827b82e07f7e5b7857454530c0e9170c13f

SHA512
3105670955b9d3ed56c0411ac3d8cb343a187b33def36915e3aa9ecf0e15603c5246541acfe275a458c7f682d28c6f399b582342d120e8e0ff76e75ed8d0d1c6

Download Submit
memory/1976-20-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1976-141-0x0000000076E10000-0x0000000076FB9000-memory.dmp

Filesize
1.7MB

Download
memory/1976-0-0x0000000076FC0000-0x0000000076FC2000-memory.dmp

Filesize
8KB

Download
memory/1976-8-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1976-10-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1976-11-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/1976-13-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/1976-15-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/1976-16-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1976-25-0x000007FEFCD20000-0x000007FEFCD22000-memory.dmp

Filesize
8KB

Download
memory/1976-6-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1976-5-0x0000000076FC0000-0x0000000076FC2000-memory.dmp

Filesize
8KB

Download
memory/1976-18-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1976-28-0x000007FEFCD30000-0x000007FEFCD32000-memory.dmp

Filesize
8KB

Download
memory/1976-30-0x000007FEFCD30000-0x000007FEFCD32000-memory.dmp

Filesize
8KB

Download
memory/1976-31-0x0000000077000000-0x0000000077002000-memory.dmp

Filesize
8KB

Download
memory/1976-33-0x0000000077000000-0x0000000077002000-memory.dmp

Filesize
8KB

Download
memory/1976-35-0x0000000077000000-0x0000000077002000-memory.dmp

Filesize
8KB

Download
memory/1976-37-0x0000000076E10000-0x0000000076FB9000-memory.dmp

Filesize
1.7MB

Download
memory/1976-2-0x0000000076FC0000-0x0000000076FC2000-memory.dmp

Filesize
8KB

Download
memory/1976-3-0x000000013F2F0000-0x0000000140B74000-memory.dmp

Filesize
24.5MB

Download
memory/1976-140-0x000000013F2F0000-0x0000000140B74000-memory.dmp

Filesize
24.5MB

Download
memory/1976-23-0x000007FEFCD20000-0x000007FEFCD22000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing