Overview

overview

7

Static

static

3

Exoticexternal.zip

windows7-x64

1

Exoticexternal.zip

windows10-2004-x64

1

Exotic.exe

windows7-x64

7

Exotic.exe

windows10-2004-x64

7

creal.pyc

windows7-x64

3

creal.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Exoticexternal.zip

  • Size

    17.0MB

  • Sample

    240423-zp53yabh34

  • MD5

    0542d292f8c112539c4c16d28d58b768

  • SHA1

    3f9563d3e0b9978005b811c5bf1eb20535e59f52

  • SHA256

    0d5b9bd6e51cae5e7886a68238645e8e994892b01abe68c1e855365606a061f6

  • SHA512

    88dd6cf6ec6ef8589038c09b103539eae988d12126056ec5fffc1f693e2dee558fd48fa3b2ff8a59df4d8e7032293087251deb98db2f48bfebd1c12fac6cde7c

  • SSDEEP

    393216:cX51Oafe10ZAlyk143gUOrTFXoQKRObP1AReA0JK:cpsaf40W314QUqpo3Ri2RedK

Score
7/10
pyinstallerspywarestealer

Malware Config

Targets

    • Target

      Exoticexternal.zip

    • Size

      17.0MB

    • MD5

      0542d292f8c112539c4c16d28d58b768

    • SHA1

      3f9563d3e0b9978005b811c5bf1eb20535e59f52

    • SHA256

      0d5b9bd6e51cae5e7886a68238645e8e994892b01abe68c1e855365606a061f6

    • SHA512

      88dd6cf6ec6ef8589038c09b103539eae988d12126056ec5fffc1f693e2dee558fd48fa3b2ff8a59df4d8e7032293087251deb98db2f48bfebd1c12fac6cde7c

    • SSDEEP

      393216:cX51Oafe10ZAlyk143gUOrTFXoQKRObP1AReA0JK:cpsaf40W314QUqpo3Ri2RedK

    Score
    1/10
    behavioral1behavioral2

    • Target

      Exotic.exe

    • Size

      17.2MB

    • MD5

      b45e397ad6ada395d8de4151911dd1a6

    • SHA1

      c3b3484953c0e2ac60dad617591b6357aacca1d7

    • SHA256

      bf349655aa3cc9bd627892d0a224af252bb6da707455474248d44876d14a1976

    • SHA512

      d5f042215d1d433ab8d05878cfb3e61b413a6892f9f1d5339f67051ee85dbba16e828f71e27fde097c4c2b3ed5c999931285d88a487471fe1bcc824e3960f38d

    • SSDEEP

      393216:CEkZQpP8AxYDwdQuslSl99oWOv+9fgd62ts4ev3h:ChQSXsdQu9DorvSYd6asPh

    Score
    7/10
    spywarestealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      creal.pyc

    • Size

      39KB

    • MD5

      0565484c3d4160c0c43cdf819645fb2d

    • SHA1

      9d8c87f60aed4e828ee4bc2692b5379a1c284237

    • SHA256

      4ff92e8da1372d22060e5223cf7b316d96bcbe09264174f5486168368001d9c2

    • SHA512

      19130ee88139135734941c743156a8401f80881b5e8fc857347a2019249c213cd8eb1d8a52e5cf0b890f0a52b2c080d7e9fe3bde3a88c3778ddf07ae41fc82ea

    • SSDEEP

      768:CDP7bnrv7lFrAgArVxsy1qS7hH4aArxgkIdt3FZa2VbJgjFiYCuKABNHrbRH/iYb:M7brv3wxsKHYxg33FZaQV0FiYCuK4NnZ

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks