Overview

overview

10

Static

static

1

cb4a93864a...f1.exe

windows7-x64

10

cb4a93864a...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe

  • Size

    598KB

  • MD5

    e0ca9d7fdf345af474332533ee50dfb6

  • SHA1

    303f5df8841a33886413435a61809d338a66639b

  • SHA256

    cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1

  • SHA512

    93d04456ca2915ed7cbfe8058b4283198cd9851e73dd4d2e2271889be622c3aa498506cb7ceef63d0eb1243d9987373fe47f0f579e96c03a6a3e5f5321f9d616

  • SSDEEP

    12288:jN2vXjWMzp7E9Yy+PIPx2TQ1RABd89XBJm3QXNOZJxRYE601YlPmOU8L:jgrh7E6r5Q7AaJBo3QXerYfe0

Score
10/10
outsteelspywarestealer

Malware Config

Signatures

  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • OutSteel batch script 1 IoCs

    Detects batch script dropped by OutSteel

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
    "C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
      C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
      2⤵
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
        C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
        2⤵
          PID:2652
        • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
          C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
          2⤵
            PID:2668
          • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
            C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
            2⤵
              PID:2672
            • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
              C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
              2⤵
                PID:2680
              • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                2⤵
                  PID:2716
                • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                  C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                  2⤵
                    PID:2656
                  • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                    C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                    2⤵
                      PID:2604
                    • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                      C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                      2⤵
                        PID:2556
                      • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                        C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                        2⤵
                          PID:2596
                        • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                          C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                          2⤵
                            PID:2788
                          • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                            C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                            2⤵
                              PID:2580
                            • C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                              C:\Users\Admin\AppData\Local\Temp\cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1.exe
                              2⤵
                              • Enumerates connected drives
                              PID:2696
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
                                3⤵
                                  PID:2388
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
                                  3⤵
                                    PID:2616
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
                                    3⤵
                                      PID:2480
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                                      3⤵
                                        PID:1656
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
                                        3⤵
                                          PID:2676
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                                          3⤵
                                            PID:2876
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                                            3⤵
                                              PID:1968
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                                              3⤵
                                                PID:2376
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                                                3⤵
                                                  PID:1068
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                                                  3⤵
                                                    PID:1236
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                                                    3⤵
                                                      PID:496
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                                                      3⤵
                                                        PID:1600
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                                                        3⤵
                                                          PID:2296
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                                          3⤵
                                                            PID:2304
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                                            3⤵
                                                              PID:2420
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                                              3⤵
                                                                PID:760
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                                                3⤵
                                                                  PID:1500
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
                                                                  3⤵
                                                                    PID:296
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A
                                                                    3⤵
                                                                      PID:2416
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A
                                                                      3⤵
                                                                        PID:2972
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A
                                                                        3⤵
                                                                          PID:376
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
                                                                          3⤵
                                                                            PID:1592
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A
                                                                            3⤵
                                                                              PID:1672
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A
                                                                              3⤵
                                                                                PID:2640
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A
                                                                                3⤵
                                                                                  PID:2784
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
                                                                                  3⤵
                                                                                    PID:2664
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A
                                                                                    3⤵
                                                                                      PID:2300
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A
                                                                                      3⤵
                                                                                        PID:2708
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A
                                                                                        3⤵
                                                                                          PID:2620
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A
                                                                                          3⤵
                                                                                            PID:2344
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A
                                                                                            3⤵
                                                                                              PID:2892
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A
                                                                                              3⤵
                                                                                                PID:2636
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A
                                                                                                3⤵
                                                                                                  PID:2608
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A
                                                                                                  3⤵
                                                                                                    PID:2004
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A
                                                                                                    3⤵
                                                                                                      PID:1888
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /U /C DIR "f:\*.txt" /S /B /A
                                                                                                      3⤵
                                                                                                        PID:2040
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd /c start /min r.bat
                                                                                                        3⤵
                                                                                                          PID:2256
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /K r.bat
                                                                                                            4⤵
                                                                                                            • Deletes itself
                                                                                                            PID:2880
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /min /c del "C:\Users\Admin\AppData\Local\Temp\r.bat"
                                                                                                              5⤵
                                                                                                                PID:496
                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                Taskkill /IM cmd.exe /F
                                                                                                                5⤵
                                                                                                                • Kills process with taskkill
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1772

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • C:\Users\Admin\AppData\Local\Temp\r.bat
                                                                                                        Filesize

                                                                                                        256B

                                                                                                        MD5

                                                                                                        3d80a0da4bf21849fd9ba223d944194f

                                                                                                        SHA1

                                                                                                        8c182ea03b4958e13c8bf5ddd9f9cfcfdd5b4b20

                                                                                                        SHA256

                                                                                                        655ef795b6ceafb31d7f0d7b8bf8981cd0a1099a86c4d169f62c2d5f2059b295

                                                                                                        SHA512

                                                                                                        31de807e3e6a115c5053ffd99aea211ae2ef00bf009cc94560aa667d1bc3d2869f4a1c76f0642ea4ce5eaca69b2f2c6df75fc56f471ad2fc444024224a43d417

                                                                                                        Download Submit

                                                                                                      • memory/2028-0-0x0000000000240000-0x00000000002DA000-memory.dmp

                                                                                                        Filesize

                                                                                                        616KB

                                                                                                        Download

                                                                                                      • memory/2028-1-0x0000000074360000-0x0000000074A4E000-memory.dmp

                                                                                                        Filesize

                                                                                                        6.9MB

                                                                                                        Download

                                                                                                      • memory/2028-2-0x00000000071B0000-0x00000000071F0000-memory.dmp

                                                                                                        Filesize

                                                                                                        256KB

                                                                                                        Download

                                                                                                      • memory/2028-3-0x0000000000370000-0x0000000000380000-memory.dmp

                                                                                                        Filesize

                                                                                                        64KB

                                                                                                        Download

                                                                                                      • memory/2028-7-0x0000000074360000-0x0000000074A4E000-memory.dmp

                                                                                                        Filesize

                                                                                                        6.9MB

                                                                                                        Download

                                                                                                      • memory/2696-15-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-39-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-9-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-11-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-6-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-23-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-27-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-31-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-35-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-8-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-43-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-47-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-59-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-63-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-81-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-155-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download

                                                                                                      • memory/2696-4-0x0000000000400000-0x00000000004E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        904KB

                                                                                                        Download