allcome | 69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe
Size

128KB
MD5

2a82f35e7a79350c0a1257358130c4e3
SHA1

b57cfc659efa353f98b379446879607e1557899a
SHA256

69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55
SHA512

a839742a450b9baf2dcd731592bc4cedd4af4271912fbc4711f87ef091fe9ea464dfbed2ba07b28ea156c029a36eb40b70c8093759593644ebcd6b822844236e
SSDEEP

3072:9rn4CuDcpMkymV5x0RCVZeeUebHCDYp61FmHhe8pTAV02DtEb:9r4Ndkf5xUCXUXDY8TDtEb

Score

10^/10

allcome stealer

Malware Config

Extracted

Family

allcome

http://62.109.16.47/API/2/configure.php?cf6zrlhn=tuffdebil

Wallets

DT8qmpTEqkbS1f41LFbbJxNu4gQtq6vU9c

rndEWHECqLsUt9miLwqW3RYmW63obkDucj

0xc4B4D212105d8851b0AAc48B01e0408d9956da27

Xj6ujQQNd2u2xKE5RK3g6ZJhoKmxDjTGKG

TKtQmTGQ4QJjzvPNqerkpk15P3c1AfbuK6

t1RNmZVMrdyT6XjPukeDFkkicsyejUYEE45

GCUNI73ZCKWSLR3Q3XM5D5JY6DKAFFFROM24UPFRTAJS2D52TRRRC532

42CzrSj7VTyRt1GB5tERnaSBJSEBJanQVgErPXHmBhCWQ3hzpvfFJUvAVommbRU65dKYyGRK2pHZdcHBE41nEQ13FoARFM6

qr8lrc2yz86jyjsu8mluckud4g9jhktjsggj4xn7kj

131Qoe2y3TGKRKg31doXKj1sYw5QoUx869

0xc4B4D212105d8851b0AAc48B01e0408d9956da27

LW7EWoy18v5AYu31ULMg3P1EoyT4w3srEq

ronin:23613a91878db0847e3d22f3c3812b996b38071a

MEJzu6SkhEDJvofLjwLwTTRqeZoCCVBAEx

ltc1q3d8c47dmek3c7pg6sj9uzqj99gxa0kfky2fml0

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe

Executes dropped EXE 1 IoCs

Processes:

MoUSO.exe

pid process

4168 MoUSO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1572 schtasks.exe

pid	process
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MoUSO.exe

pid	process
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe
4168	MoUSO.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe

description	pid	process	target process
PID 3364 wrote to memory of 1572	3364	69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe	schtasks.exe
PID 3364 wrote to memory of 1572	3364	69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe	schtasks.exe
PID 3364 wrote to memory of 1572	3364	69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe
"C:\Users\Admin\AppData\Local\Temp\69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1572

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cache\MoUSO.exe

Filesize
128KB

MD5
2a82f35e7a79350c0a1257358130c4e3

SHA1
b57cfc659efa353f98b379446879607e1557899a

SHA256
69ee540d78678ca031d4b00626415ca52f22f57f96c4504203490e9234f60b55

SHA512
a839742a450b9baf2dcd731592bc4cedd4af4271912fbc4711f87ef091fe9ea464dfbed2ba07b28ea156c029a36eb40b70c8093759593644ebcd6b822844236e

Download Submit