Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 13:00
General
-
Target
9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f.exe
-
Size
2.5MB
-
MD5
65792e4d02f910d20dcf74487cb9fab1
-
SHA1
942337f3ea28f553b47dc05726bb062befe09fef
-
SHA256
9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f
-
SHA512
14f2bc63e7c59a9988426f71905066596d15def0f1238b6acac1aa45367ca896bfcfd24e984fffcf8ba4cd36130da6c67530a876992b7e80c1591df4cf25fd9e
-
SSDEEP
49152:k1pt5y4+ehRpj3bQxZI9SoesOCpnROKcQtngNbawIVbf8Amz2FNaZU6NVX:k9M7ERF3bcZipROTMngNVKr02v2t
Malware Config
Signatures
-
OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f.exe"C:\Users\Admin\AppData\Local\Temp\9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.docx" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.docm" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xls" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xlsx" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xlsm" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pptx" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
512KB
-
Filesize
4.9MB
-
Filesize
384KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB