outsteel | 320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2

General

Target

320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
Size

938KB
MD5

ede3bf69a09cec27ded2d20c95ca78e3
SHA1

8d3a1b800d73d5315998b3b5f966b084fdb4b806
SHA256

320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2
SHA512

6077d56956aa777ec8efc001671cf23faba37a3f3d06dcb312ea1ac43e86dddb8aed5921923b5cd088d106900cd263a70ce466f43cca1750f1695ae8a91bb3f1
SSDEEP

24576:UAHnh+eWsN3skA4RV1Hom2KXMmHaTnauw5:jh+ZkldoPK8YaTna9

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe

description	ioc	process
File opened (read-only)	\??\a:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\e:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\h:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\i:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\m:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\o:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\b:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\k:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\q:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\x:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\l:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\p:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\r:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\s:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\v:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\y:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\z:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\g:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\j:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\n:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\t:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\u:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
File opened (read-only)	\??\w:	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe

description	pid	process	target process
PID 2044 wrote to memory of 1472	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1752	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1752	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1752	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1752	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2384	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2384	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2384	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2384	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2564	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2564	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2564	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2564	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2944	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2944	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2944	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2944	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2608	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2608	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2608	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2608	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2684	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2684	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2684	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2684	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2632	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2632	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2632	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2632	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2612	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2612	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2612	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2612	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2640	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2640	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2640	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2640	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2504	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2504	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2504	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2504	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1076	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1076	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1076	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 1076	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2496	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2496	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2496	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2496	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2600	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2600	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2600	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2600	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 3008	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 3008	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 3008	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 3008	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2476	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2476	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2476	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe
PID 2044 wrote to memory of 2476	2044	320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe
"C:\Users\Admin\AppData\Local\Temp\320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
  2⤵
  PID:2468