1984264959b7d63e516544cbce4b6dffb7ed5210a472437dd88068f4d39600e2

General

Target

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
Size

483KB
MD5

3a9fb5399a485d6e94d5ffe6e2349e74
SHA1

9f5438e7296fe2ca8f7efb574e7139923756ceb8
SHA256

1984264959b7d63e516544cbce4b6dffb7ed5210a472437dd88068f4d39600e2
SHA512

955363ff31b0d5225a90452f1e9d676a4c81a21380289381f96206854914fd0a125ffb434b598a28c9d75a210ac2d793e06757e065f4d1d99447d6284ccd712e
SSDEEP

6144:mXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNra5Gv:mX7tPMK8ctGe4Dzl4h2QnuPs/ZDncv

Score

9^/10

collection spyware stealer

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1192-12-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1192-15-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1192-16-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1416-11-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1416-24-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1192-12-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3584-14-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1192-15-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3584-19-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1192-16-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1416-11-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1416-24-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

description	pid	process	target process
PID 1724 set thread context of 1416	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 set thread context of 1192	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 set thread context of 3584	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

pid	process
1416	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
1416	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
3584	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
3584	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
1416	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
1416	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

pid	process
1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

description pid process

Token: SeDebugPrivilege 3584 1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

description	pid	process
Token: SeDebugPrivilege	3584	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

description	pid	process	target process
PID 1724 wrote to memory of 1416	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 1416	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 1416	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 1192	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 1192	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 1192	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 3584	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 3584	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
PID 1724 wrote to memory of 3584	1724	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe	1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe

C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\gjxgj"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\qmcqkeog"
2⤵
- Accesses Microsoft Outlook accounts
PID:1192

C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe
C:\Users\Admin\AppData\Local\Temp\1713283209b718b3402f0849bd96c1191ce385ad0742966accbbfb52b7b95b60820687e4a6909.dat-decoded.exe /stext "C:\Users\Admin\AppData\Local\Temp\tghjkwzanrtg"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gjxgj
Filesize
4KB

MD5
00b6db75569a003359acbd01b5768218

SHA1
5c97970de86d2cf2bb34c44cce762a02aeb4c780

SHA256
d48e19c97ae625f732d0d30a3cc3e70f5ce45502e7b4b62d779595e6da8040f0

SHA512
39a7261f275fe61a292c4ddeb2b800506a7fe878ee238a872a3711fc02b3a6fa4e33ef898ef96a4329f022446142eabb0e7be7c24fab69198bc8e789135a0bec

Download Submit
memory/1192-16-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1192-2-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1192-8-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1192-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1192-15-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1416-1-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1416-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1416-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1416-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1724-31-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-27-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-32-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-30-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-33-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1724-34-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3584-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3584-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3584-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3584-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads