crealstealer | 8a714538823fc5e4cdbec6114c6d30fe3ab2eb2b557b81de4c59e073c85aa765 | Triage

Sharing

General

Target

NSFW_Generator.zip
Size

13.6MB
Sample

240228-kcy2jafc51
MD5

13d393059d3aad115b1119cdb7389a32
SHA1

bc7c89aacacdf0027e6274312dd0f4f4ee5d21c4
SHA256

8a714538823fc5e4cdbec6114c6d30fe3ab2eb2b557b81de4c59e073c85aa765
SHA512

6eb50b0ea1ead56752da0d569e6a0ebffa69d8693675084522800ecce6754952d590f5179bc087b340ba935ebffcd214d961f9a2b30891cf812f6d1537ede2b9
SSDEEP

393216:+ntaFcUCtjef0WtDLC3nz4zJFCU0+sSqHF3cVGhF4FvGsc:q8FXCtw0Wtaj4Pr0HSqH6AQvFc

Score

10^/10

crealstealer pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  NSFW Generator/NSFWGEN.exe
- Size
  
  13.8MB
- MD5
  
  638d136547ece9e4f282d62aa6562a07
- SHA1
  
  19ba1d25332fac7c3fe7bf0eae2ad3520fded5db
- SHA256
  
  d7407d5dd0dca80aa9798ff6aaa10635474feab533b7e6db87d759abf69f1ee8
- SHA512
  
  e1c2f4a6ffff124c5a7cece7a48be026f1098708376f3e03d46f2e8a0f35e05d223da05b78ef3417422d62ce9feaa137241b0f879b731f63b2c1cbaafebc3323
- SSDEEP
  
  393216:hiIE7Yo5D2nwW+eGQRIMTozGxu8C0ibfz6e57F1bmXdWCNx+:O7r5DawW+e5R5oztZ026e5XkVN4
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  NSFW Generator/start.bat
- Size
  
  17B
- MD5
  
  7832b275978713ff3c40544308894cda
- SHA1
  
  981608258b7ca6860bc90981321716d167884302
- SHA256
  
  fa52f3a6d700af1047bd644f48985baa147256b612cc0751968cc3e0715c69c1
- SHA512
  
  d77c0216f1a4e7dae6b417c3c1e3339fce4cf30b112dc8251011ebb82ad489b2366e71699323af14e72c96a4793fc5bb86a22b6bb723d2302cf5e6712a3cac85
Score

7^/10

spyware
- Drops startup file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2