crealstealer | 705dffc3bbb0269cf07dd30663eac4d42774400a995d35b9a852f35d97548889 | Triage

Resubmissions

11-03-2024 08:37

240311-kjdn6sfg5y 10

Sharing

General

Target

BoostTool.rar
Size

14.2MB
Sample

240311-kjdn6sfg5y
MD5

2ec6529ee57f5664b5c921324ba0905c
SHA1

033a29688c7ca373a6de29ae89f37a735669add8
SHA256

705dffc3bbb0269cf07dd30663eac4d42774400a995d35b9a852f35d97548889
SHA512

648d3babe00497c30bcb32e860a4c5caf7123311810dd3b9878e2c5e76039b64aec93e315e6eedfad4731901806ce8fc82a38c87d406fc3c2656ec7dbe901110
SSDEEP

196608:+VOENbNNhARt7Fm/sM8kwQxYk1hYd7M+i4ctWJ1YXJzGvir/vB/+e:+8KVAH7WZwQx7hB+V+WJ14GvAp/R

Score

10^/10

crealstealer pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  BoostTool.rar
- Size
  
  14.2MB
- MD5
  
  2ec6529ee57f5664b5c921324ba0905c
- SHA1
  
  033a29688c7ca373a6de29ae89f37a735669add8
- SHA256
  
  705dffc3bbb0269cf07dd30663eac4d42774400a995d35b9a852f35d97548889
- SHA512
  
  648d3babe00497c30bcb32e860a4c5caf7123311810dd3b9878e2c5e76039b64aec93e315e6eedfad4731901806ce8fc82a38c87d406fc3c2656ec7dbe901110
- SSDEEP
  
  196608:+VOENbNNhARt7Fm/sM8kwQxYk1hYd7M+i4ctWJ1YXJzGvir/vB/+e:+8KVAH7WZwQx7hB+V+WJ14GvAp/R
Score

7^/10

pyinstaller
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  BoostTool/BoostTool.exe
- Size
  
  14.4MB
- MD5
  
  2ec355cdf7ed2a42dfd7f8fd99832e7b
- SHA1
  
  4188809c194cff19aa2ac1be92880b1d94671eee
- SHA256
  
  e4e4a02242c6416be563ae09cb9e46e10a68809fd4cde16104d9d4dfb578ad4f
- SHA512
  
  a30f3b310b8b01f102d9936d2dbb7044db07b15ebfdf90e0afc8d6086d50c5b26e39643bdb6970fb4a67e933ea8176af1febf35b4bb3ab9c10f4cfd854318fc7
- SSDEEP
  
  393216:UiIE7YoPQMidQuslSq99oWOv+9fg03raqVvHBw:t7rPQ3dQuSDorvSY03rpve
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  Creal.pyc
- Size
  
  75KB
- MD5
  
  149b02314b58710b912b182e76e1f5c9
- SHA1
  
  314c9bf321d3cb5fd12b66771280eb444b0de9cb
- SHA256
  
  4546e2a2030e19289701fb5f78a8a0965ec99430a0cb53d6e1e24cebf02cacef
- SHA512
  
  a1d316e9f439abcda35d229cdd6291282c50125b79e90f8d98a7e87fd6c5634ab502db97e18cb7e59c8ba6cdb927fe9472f3e607510094a4ab07f0a09f66b6e4
- SSDEEP
  
  1536:auPDrge3uzTZMB7aK1gIEDjp9wgqpRPzTgMuqde:lPDUe3uz0Bn49/6PzTgMM
Score

3^/10
behavioral5 behavioral6
- Target
  
  BoostTool/READMIN.txt
- Size
  
  643B
- MD5
  
  5191f5801f27ebd3bbd2d3adc4cd2e36
- SHA1
  
  ea69e921137dd05a4dd74905ecd674f4b9568723
- SHA256
  
  ca8229264b9c02963a29d0d9dfadb4eb7def2469c2cafb89e51e38400c825b10
- SHA512
  
  48433f3b1ace4178ff64f5fffe8b1df56830d348c72157986c6f18babe8385838f4f26c65b3302c0cd64802ac1da802e19c5dd6e74c264405ee66a7cdfd5686a
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8