crealstealer | 8facb9f4dab8c89f24db5de1aee42ee86d80c0423d138c9c3930e4ce314fc73d | Triage

Sharing

General

Target

Jokers_Cleaner_V2.rar
Size

13.5MB
Sample

240301-dxdg1abh25
MD5

191a0477dec7d3226376ec396acbb91b
SHA1

096f0dc1347d044734d21bf46342b12d3e46ea24
SHA256

8facb9f4dab8c89f24db5de1aee42ee86d80c0423d138c9c3930e4ce314fc73d
SHA512

fe782a72b7485b0fbc053162e3a9d2c2066113f4e23cbea3c137c7d8e8d656d11bdca5e220eed79a215bac4ba18014edd449c847ebfaab86f0d9c7db1b6332a2
SSDEEP

393216:ofWzYKGasOrrMNsPi31DGduuDbTi6FVqEd1EIr:of+Y2YNsPqNUuAS6VqEDb

Score

10^/10

crealstealer pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  Jokers_Cleaner_V2.rar
- Size
  
  13.5MB
- MD5
  
  191a0477dec7d3226376ec396acbb91b
- SHA1
  
  096f0dc1347d044734d21bf46342b12d3e46ea24
- SHA256
  
  8facb9f4dab8c89f24db5de1aee42ee86d80c0423d138c9c3930e4ce314fc73d
- SHA512
  
  fe782a72b7485b0fbc053162e3a9d2c2066113f4e23cbea3c137c7d8e8d656d11bdca5e220eed79a215bac4ba18014edd449c847ebfaab86f0d9c7db1b6332a2
- SSDEEP
  
  393216:ofWzYKGasOrrMNsPi31DGduuDbTi6FVqEd1EIr:of+Y2YNsPqNUuAS6VqEDb
Score

7^/10

pyinstaller spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Jokers_Cleaner_V2.exe
- Size
  
  13.7MB
- MD5
  
  fb1cf575aa9dcf85592b2956a0b7afb7
- SHA1
  
  78df71718173217bff6454df48015e80d3a691e7
- SHA256
  
  128b60bd445eec4baa7b602bcc2cc5dee8114e4c53507c2737ce53571583a1b9
- SHA512
  
  974d4dbf7f5b5b51be789394df663e96d587341344c6641df49413ae8e6abfa6cba324274177991c4c1472b851aba5d75d2cd703a121134522f114f0ac744a79
- SSDEEP
  
  196608:b0Ekv0sKYu/PaQ+DuNtHQpXxCL2Vmd6+DKMTNfwZHYYfovCw/jUJpYIHUtE0v1yn:oEkZQzwpBCL2Vmd6mKMBkGCwwFHQiD
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  creal.pyc
- Size
  
  32KB
- MD5
  
  2ffd8e4ea301496367a7251927e17347
- SHA1
  
  5ae74e8d31f1bad407c510a950ecee712c46fbef
- SHA256
  
  9a34df241a4cad17587489c4cbfc8dfb69b21f830600f6e4b9ca0dd8c8ac54d4
- SHA512
  
  14794d74d1fbdeca3f32d30bd0622f1592cc697202f8d3463752d7eee0c37024ab88a344a682a17cf877cc2803c654142958bb2a771005a6e96972f895124def
- SSDEEP
  
  768:L8Dnroh2VsfNEiyAuAfKFMrRtfqtvEwS7bnjerAroaHDsIAvN8YC06X:Ijrae3aKFcfDwS7fOPviYD6X
Score

3^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2

pyinstallerspywarestealer

behavioral3

behavioral4

behavioral5

behavioral6