67e68d1933e87f680f063203e7e243c33deba2dfdbcd2bb08e9205d3fff26fb8

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222-main/stpastio.exe
Size

1.0MB
MD5

76240af1d6ebffbf210af7d95b59b97e
SHA1

8f029dfb9a98bd1c34335010c97780ac3f602d61
SHA256

18f6c675acef58163ad7322fbbaf75ac8d92c50e3f4e2dd02f26bbc4a93f4262
SHA512

71f2a9bb9a3ba9b0123fa302c6a96f9ff5b58be7804d1a84c170c4b69173428ddbc6807e91e034b23f83db9b51dfb8c6c7ae439fb822b7887927e5c84c007687
SSDEEP

24576:jfQYNBhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoR12Q:Po54clgLH+tkWJ0N5

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 discord.com
29 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
21 ip-api.com
5 api.ipify.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

stpastio.exe

pid process

1228 stpastio.exe
1228 stpastio.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

stpastio.exe

description pid process

Token: SeDebugPrivilege 1228 stpastio.exe

flow	ioc
27	discord.com
29	discord.com

flow	ioc
6	api.ipify.org
21	ip-api.com
5	api.ipify.org

pid	process
1228	stpastio.exe
1228	stpastio.exe

description	pid	process
Token: SeDebugPrivilege	1228	stpastio.exe

C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe
"C:\Users\Admin\AppData\Local\Temp\2222-main\stpastio.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZZPyLZ078BFBFF000306D28AAE05B334\34078BFBFF000306D28AAE05B3ZZPyLZ\Browsers\Passwords\Passwords_Edge.txt
Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZPyLZ078BFBFF000306D28AAE05B334\34078BFBFF000306D28AAE05B3ZZPyLZ\Grabber\AssertResize.jpg
Filesize
195KB

MD5
bc69a791c507c71438971c5e0cf19fc1

SHA1
a855f608d6f9edeeb6b5f95a8b3c37dd38e12540

SHA256
5e69c84bc884a6e5652637e8194092ace26fb8ee572360f8d62e60f6ba9638b6

SHA512
82790b56be0bbbef76de7b3364df702ffb615f09374ddc28fad781ed048ad2e32ec2d1a059ad6cae99b61fccfde82aa13d72d6f374e43d7255629cf30a5b3972

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZPyLZ078BFBFF000306D28AAE05B334\34078BFBFF000306D28AAE05B3ZZPyLZ\Grabber\StartRequest.doc
Filesize
2.7MB

MD5
350f0c4f39cf4747fd8ab733e0119b2e

SHA1
450d8c536684cc9ab3cc647117be633a4ba14c10

SHA256
f647c76ff472fa08c0f8e97d8fc49b78872613aa0adb725735d2783f9ef4ad26

SHA512
73dbf6cd9160716a050f2dcfcda2c2d38aeec5b0142105f5541c797689c5fde0a9528b2558e26391cacdc04fbdf29c62a98261f1f5ef401fc119ced0f9dc2b89

Download Submit
memory/1228-0-0x00000125937F0000-0x00000125938FA000-memory.dmp

Filesize
1.0MB

Download
memory/1228-1-0x00007FFC7B2E0000-0x00007FFC7BDA1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-2-0x0000012595630000-0x00000125956A6000-memory.dmp

Filesize
472KB

Download
memory/1228-3-0x0000012593CC0000-0x0000012593CD0000-memory.dmp

Filesize
64KB

Download
memory/1228-73-0x00007FFC7B2E0000-0x00007FFC7BDA1000-memory.dmp

Filesize
10.8MB

Download
memory/1228-74-0x0000012593CC0000-0x0000012593CD0000-memory.dmp

Filesize
64KB

Download
memory/1228-85-0x00007FFC7B2E0000-0x00007FFC7BDA1000-memory.dmp

Filesize
10.8MB

Download