Overview
overview
10Static
static
10a5bcc672d9...98.exe
windows7-x64
10a5bcc672d9...98.exe
windows10-2004-x64
10$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$TEMP/BroomSetup.exe
windows7-x64
9$TEMP/BroomSetup.exe
windows10-2004-x64
9$TEMP/syncUpd.exe
windows7-x64
10$TEMP/syncUpd.exe
windows10-2004-x64
10General
-
Target
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98
-
Size
2.0MB
-
Sample
240313-1x8dpsce64
-
MD5
8622cfa4169dcf4067c9ae95f547e0ab
-
SHA1
bc493149c64f6fe7a3b148582eae4c6c067d2c01
-
SHA256
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98
-
SHA512
3e3acb0dc3cffb2cbbd368451aed2fbed8f432c0c025b93a18bd5a6b834b83eef3970640991e136e9215389538c68ba899f9683b89de4fc4c3c3fec0a20793bc
-
SSDEEP
49152:L/Wc4f+MZYsh6bIm5KCoaOEHXhm95BBy/9z8LsvfMA7jYMd:CTfFym6bImUfexm95BOnd
Behavioral task
behavioral1
Sample
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/BroomSetup.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/BroomSetup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/syncUpd.exe
Resource
win7-20231129-en
Malware Config
Extracted
stealc
http://185.172.128.145
-
url_path
/3cd2b41cbde8fc9c.php
Targets
-
-
Target
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98
-
Size
2.0MB
-
MD5
8622cfa4169dcf4067c9ae95f547e0ab
-
SHA1
bc493149c64f6fe7a3b148582eae4c6c067d2c01
-
SHA256
a5bcc672d91ff60374275df4680a61fac1ade6562d16851dd3e3acd2d2efab98
-
SHA512
3e3acb0dc3cffb2cbbd368451aed2fbed8f432c0c025b93a18bd5a6b834b83eef3970640991e136e9215389538c68ba899f9683b89de4fc4c3c3fec0a20793bc
-
SSDEEP
49152:L/Wc4f+MZYsh6bIm5KCoaOEHXhm95BBy/9z8LsvfMA7jYMd:CTfFym6bImUfexm95BOnd
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
UPX dump on OEP (original entry point)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
$PLUGINSDIR/INetC.dll
-
Size
21KB
-
MD5
2b342079303895c50af8040a91f30f71
-
SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e
-
SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
-
SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
SSDEEP
384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
Score3/10 -
-
-
Target
$TEMP/BroomSetup.exe
-
Size
1.7MB
-
MD5
eee5ddcffbed16222cac0a1b4e2e466e
-
SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
-
SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
-
SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc
-
SSDEEP
49152:YUnaQiKJ8N+AadA6mICFhNGffVCPi9NUko6jE:ZwKa+u6mICFSwPKDK
Score9/10-
UPX dump on OEP (original entry point)
-
-
-
Target
$TEMP/syncUpd.exe
-
Size
199KB
-
MD5
c30ba6943a94d2e8ed78cd2ca1bc207d
-
SHA1
9f72b0a089b6c66a1e81b25fe0b652f3bbb85b79
-
SHA256
d14472c3ab77a8e09ce45dbf6dfc686657539fc9520b510b4417f99114cfd7e8
-
SHA512
8080ae1b569b6f0f65814758ee3cdbf45f51e1411c731850751980b9310eb3493f64b6b85e681059f9354ea07fb110f1865f5b613c6dc90290f6fcb3b5b194a0
-
SSDEEP
3072:CHO6XigQe+JK1vljkjdv/oJIOSe7NC1RhrW2O4:C5Xp+WSjd38v7NC3
-
Detect binaries embedding considerable number of MFA browser extension IDs.
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-