outsteel | 2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b

General

Target

2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
Size

666KB
MD5

75d6f57cfba0ebc3633a49a8412a43e5
SHA1

dd7a31b07f1dfdcdbb72f59c3535636b41d0eaad
SHA256

2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b
SHA512

f0af86544c32c48480435cd7be758892e747989189d30952bbe0bdc59074fcdab2e4022ec20125275846713c65710d3249268a76eb89009cd9cd036c83ed043c
SSDEEP

12288:OGJvgsbgbyf6lzps3Lo4CwKj/X+3WxeOW93pSsTAvSBubsKxl8q/Npiv2cH3:OGWpSYs3c4CwKjW5OW94sTA/Jov2cH3

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe

description	ioc	process
File opened (read-only)	\??\b:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\h:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\n:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\t:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\u:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\z:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\x:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\y:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\a:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\i:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\j:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\o:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\p:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\r:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\e:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\g:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\k:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\l:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\w:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\m:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\q:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\s:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
File opened (read-only)	\??\v:	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2400-2-0x0000000000230000-0x000000000030D000-memory.dmp	autoit_exe
behavioral1/memory/2400-3-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-4-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-7-0x0000000000230000-0x000000000030D000-memory.dmp	autoit_exe
behavioral1/memory/2400-8-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-10-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-12-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-14-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-16-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe
behavioral1/memory/2400-18-0x0000000000400000-0x0000000000A7E000-memory.dmp	autoit_exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe

description	pid	process	target process
PID 2400 wrote to memory of 2332	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2332	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2332	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2332	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2028	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2028	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2028	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2028	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2576	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2576	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2576	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2576	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2700	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2700	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2700	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2700	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2596	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2588	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2588	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2588	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2588	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 552	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 552	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 552	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 552	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2712	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2712	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2712	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2712	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2500	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2500	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2500	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2500	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2964	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2964	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2964	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2964	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1732	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1732	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1732	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1732	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1180	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1180	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1180	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1180	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2868	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2868	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2868	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2868	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2096	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2096	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2096	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2096	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2144	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2144	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2144	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 2144	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1428	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1428	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1428	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe
PID 2400 wrote to memory of 1428	2400	2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe
"C:\Users\Admin\AppData\Local\Temp\2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-1-0x0000000000EA0000-0x0000000000FA0000-memory.dmp

Filesize
1024KB

Download
memory/2400-2-0x0000000000230000-0x000000000030D000-memory.dmp

Filesize
884KB

Download
memory/2400-3-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-4-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-6-0x0000000000EA0000-0x0000000000FA0000-memory.dmp

Filesize
1024KB

Download
memory/2400-7-0x0000000000230000-0x000000000030D000-memory.dmp

Filesize
884KB

Download
memory/2400-8-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-10-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-12-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-14-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-16-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download
memory/2400-18-0x0000000000400000-0x0000000000A7E000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads