outsteel | 56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256

Analysis

max time kernel
144s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
Size

697KB
MD5

a31cb445d3131bf567720c43f2a74484
SHA1

29e763a59424f9bb147df11a7b2ebfe9373a451f
SHA256

56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256
SHA512

ca8d1c63ababcb662922d4e91c3f599579ce324881ca4ce6effe942b91037012fc959060eab730d62b07330c17bd4ac49458b52c224c5e615ee55ae469ae0ae0
SSDEEP

12288:4ld5Utx2MeMB+iCe161fWM1BRBcD9l7lYmpU1g6l47YlAEWJHk0mlRX:4zMMMe25CeMfhvRGxagcgGkJH3mlRX

Score

10^/10

outsteel spyware stealer

Malware Config

Signatures

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\y:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\e:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\h:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\i:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\l:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\m:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\o:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\k:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\p:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\t:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\x:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\z:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\b:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\j:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\s:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\w:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\a:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\g:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\n:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\q:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\r:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
File opened (read-only)	\??\v:	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3812-2-0x0000000002800000-0x00000000028DD000-memory.dmp	autoit_exe
behavioral2/memory/3812-3-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-4-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-5-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-7-0x0000000002800000-0x00000000028DD000-memory.dmp	autoit_exe
behavioral2/memory/3812-8-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-10-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-12-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-14-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-17-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe
behavioral2/memory/3812-19-0x0000000000400000-0x0000000000A88000-memory.dmp	autoit_exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3196	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	95
PID 3812 wrote to memory of 3196	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	95
PID 3812 wrote to memory of 3196	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	95
PID 3812 wrote to memory of 1712	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	97
PID 3812 wrote to memory of 1712	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	97
PID 3812 wrote to memory of 1712	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	97
PID 3812 wrote to memory of 2448	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	99
PID 3812 wrote to memory of 2448	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	99
PID 3812 wrote to memory of 2448	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	99
PID 3812 wrote to memory of 3564	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	101
PID 3812 wrote to memory of 3564	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	101
PID 3812 wrote to memory of 3564	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	101
PID 3812 wrote to memory of 4588	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	103
PID 3812 wrote to memory of 4588	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	103
PID 3812 wrote to memory of 4588	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	103
PID 3812 wrote to memory of 408	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	105
PID 3812 wrote to memory of 408	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	105
PID 3812 wrote to memory of 408	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	105
PID 3812 wrote to memory of 1796	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	107
PID 3812 wrote to memory of 1796	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	107
PID 3812 wrote to memory of 1796	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	107
PID 3812 wrote to memory of 1068	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	109
PID 3812 wrote to memory of 1068	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	109
PID 3812 wrote to memory of 1068	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	109
PID 3812 wrote to memory of 1628	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	111
PID 3812 wrote to memory of 1628	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	111
PID 3812 wrote to memory of 1628	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	111
PID 3812 wrote to memory of 2160	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	113
PID 3812 wrote to memory of 2160	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	113
PID 3812 wrote to memory of 2160	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	113
PID 3812 wrote to memory of 2732	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	115
PID 3812 wrote to memory of 2732	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	115
PID 3812 wrote to memory of 2732	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	115
PID 3812 wrote to memory of 4720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	117
PID 3812 wrote to memory of 4720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	117
PID 3812 wrote to memory of 4720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	117
PID 3812 wrote to memory of 4384	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	121
PID 3812 wrote to memory of 4384	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	121
PID 3812 wrote to memory of 4384	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	121
PID 3812 wrote to memory of 2720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	123
PID 3812 wrote to memory of 2720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	123
PID 3812 wrote to memory of 2720	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	123
PID 3812 wrote to memory of 3744	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	127
PID 3812 wrote to memory of 3744	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	127
PID 3812 wrote to memory of 3744	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	127
PID 3812 wrote to memory of 4316	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	129
PID 3812 wrote to memory of 4316	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	129
PID 3812 wrote to memory of 4316	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	129
PID 3812 wrote to memory of 5100	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	131
PID 3812 wrote to memory of 5100	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	131
PID 3812 wrote to memory of 5100	3812	56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe	131

C:\Users\Admin\AppData\Local\Temp\56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe
"C:\Users\Admin\AppData\Local\Temp\56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
  2⤵
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:3564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
  2⤵
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
  2⤵
  PID:408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
  2⤵
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
  2⤵
  PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
  2⤵
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
  2⤵
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
  2⤵
  PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
  2⤵
  PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3812-1-0x0000000000B90000-0x0000000000C90000-memory.dmp

Filesize
1024KB

Download
memory/3812-2-0x0000000002800000-0x00000000028DD000-memory.dmp

Filesize
884KB

Download
memory/3812-3-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-4-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-5-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-6-0x0000000000B90000-0x0000000000C90000-memory.dmp

Filesize
1024KB

Download
memory/3812-7-0x0000000002800000-0x00000000028DD000-memory.dmp

Filesize
884KB

Download
memory/3812-8-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-10-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-12-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-14-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-17-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download
memory/3812-19-0x0000000000400000-0x0000000000A88000-memory.dmp

Filesize
6.5MB

Download