Analysis Overview
SHA256
b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b
Threat Level: Known bad
The file b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b was found to be: Known bad.
Malicious Activity Summary
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables referencing Discord tokens regular expressions
Detects executables with interest in wireless interface using netsh
Detects executables referencing credit card regular expressions
Stealerium
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables manipulated with Fody
Detects executables referencing many VPN software clients. Observed in infosteslers
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Stealerium family
Detects executables with interest in wireless interface using netsh
Detects executables referencing many email and collaboration clients. Observed in information stealers
Detects executables referencing many VPN software clients. Observed in infosteslers
Detects executables referencing credit card regular expressions
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables manipulated with Fody
Detects executables referencing Discord tokens regular expressions
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Kills process with taskkill
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-08 02:02
Signatures
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables with interest in wireless interface using netsh
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealerium family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 02:02
Reported
2024-05-08 02:04
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Stealerium
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables with interest in wireless interface using netsh
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe
"C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4043.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 2360
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
Files
memory/2360-0-0x000000007455E000-0x000000007455F000-memory.dmp
memory/2360-1-0x0000000000070000-0x0000000000202000-memory.dmp
memory/2360-2-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2360-6-0x0000000002160000-0x00000000021F2000-memory.dmp
memory/2360-7-0x0000000002030000-0x0000000002056000-memory.dmp
memory/2360-8-0x0000000000820000-0x0000000000828000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3FE5.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\tmp4043.tmp.bat
| MD5 | 4223a1770a8fd1376f49e36b9ec70517 |
| SHA1 | e0964fa7ff5d9a361e54f95c286659214d752e31 |
| SHA256 | b2d07f7e84217a13983723468efa974d15640b4936c501b95d367516c8fa0e5f |
| SHA512 | 85adf38e6b77dee40cc332c7ba8eaa3c01ba498d17c2a86b6ed39e4f70bf32c16e88b32027fc90257222521e9d3bc8b94bcd500c1079c62c37d2652eb35d0f41 |
memory/2360-50-0x0000000074550000-0x0000000074C3E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 02:02
Reported
2024-05-08 02:04
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Stealerium
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing Discord tokens regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing credit card regular expressions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many VPN software clients. Observed in infosteslers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables referencing many email and collaboration clients. Observed in information stealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables with interest in wireless interface using netsh
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe
"C:\Users\Admin\AppData\Local\Temp\b5690971684484c0c1f3b29f428e631ac18af0b8bf636ea0230a1b7fd082418b.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmp.bat
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 4848
C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4848-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/4848-1-0x0000000000B40000-0x0000000000CD2000-memory.dmp
memory/4848-2-0x0000000005670000-0x00000000056D6000-memory.dmp
memory/4848-3-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4848-7-0x0000000005BF0000-0x0000000005C82000-memory.dmp
memory/4848-8-0x0000000005C80000-0x0000000005CA6000-memory.dmp
memory/4848-9-0x0000000005CB0000-0x0000000005CB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5D62.tmp.bat
| MD5 | 0998d926b0b6feee262bc549214fe993 |
| SHA1 | a4872067d9695a2137c9375def30e84bd2d7470d |
| SHA256 | 842e3fc82905cc4f42416acd0c9cc2b5e593a8a719c4e822706f1abf5de3d6a0 |
| SHA512 | 23a81de0831dc796bced38281309cca46f64ed6eb92c38e0bec91e93c1f98fc69e844cacbbc1246b9e9f45b69ebedf09cff9220521fddd3942885b65994b3eea |
memory/4848-14-0x00000000748D0000-0x0000000075080000-memory.dmp