96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64.exe
Size

401KB
MD5

3e682955546fe3b6b1296a509ff80f65
SHA1

da050e533305cd03b0235af1cbccfd3ff611d4c3
SHA256

96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b
SHA512

dcb1dc90e85179e39dfcc773f9f790e230d9b563cb50dedac1f2e5d0106797bd8fd2b8c9a14b68134eb0b5b7aff66de1b6f6c46a69f9d98542070fa168d87436
SSDEEP

6144:cDGeTb5E+Z7EAXrvPRIxK0zBL/TIDC2dL3RltnfoBglM7zMUdsvk3zhAt76zkiz4:cDGelZ7FXrPy4ix+LBltsgK7zXIqbkT

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1800-0-0x0000000000A90000-0x0000000000AFA000-memory.dmp	WebBrowserPassView
behavioral1/files/0x000a0000000122b8-6.dat	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/1800-0-0x0000000000A90000-0x0000000000AFA000-memory.dmp	Nirsoft
behavioral1/files/0x000a0000000122b8-6.dat	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
1788	WebBrowserPassView.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1788	WebBrowserPassView.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1788	1800	64.exe	28
PID 1800 wrote to memory of 1788	1800	64.exe	28
PID 1800 wrote to memory of 1788	1800	64.exe	28
PID 1800 wrote to memory of 1788	1800	64.exe	28

C:\Users\Admin\AppData\Local\Temp\64.exe
"C:\Users\Admin\AppData\Local\Temp\64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Public\WebBrowserPassView.exe
  "C:\Users\Public\WebBrowserPassView.exe" /stext C:\Users\Public\WebBrowserPassView.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\WebBrowserPassView.exe

Filesize
391KB

MD5
8b2597e2844a621b45f2616952b074b2

SHA1
c93b6da0726154b989674219e2c0238559d73f62

SHA256
119a6e9c8246102cd4cc8c6926d9c9ef66646079ff361dd73cf43e869081f0c6

SHA512
552f7675b39cbf74dc3b5b1571cec5b6c6b3e2b8ef287126f5b48d6d5940b12680149f835fd53e04286aece3dc8dc7c51e76d17b48150d0d4ddf4e3f0d6cabd2

Download Submit
C:\Users\Public\WebBrowserPassView.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1800-0-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/1800-2-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1800-11-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download