6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a

General

Target

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
Size

2.7MB
MD5

679bd9d09f638d451ca73641e5544839
SHA1

70018c405d497826a1a1ab6e31f87e83240a288f
SHA256

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a
SHA512

cfacaf648b1b1c732c0d3e9ce7edc41fbba6a04cef6be51c1adea52c89e1c335c1bfb7a59242e8b3d2800f1f3d3a5c371c6af299d6ab4cb6f4f2b6e5c2b146b8
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBWB/bSq:sxX7QnxrloE5dpUpxbV

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

Executes dropped EXE 2 IoCs

Processes:

ecadob.exexdobec.exe

pid process

4048 ecadob.exe
536 xdobec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4048	ecadob.exe
536	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX3\\bodxec.exe"	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDM\\xdobec.exe"	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exeecadob.exexdobec.exe

pid	process
3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe
4048	ecadob.exe
4048	ecadob.exe
536	xdobec.exe
536	xdobec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe

description	pid	process	target process
PID 3648 wrote to memory of 4048	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	ecadob.exe
PID 3648 wrote to memory of 4048	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	ecadob.exe
PID 3648 wrote to memory of 4048	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	ecadob.exe
PID 3648 wrote to memory of 536	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe
PID 3648 wrote to memory of 536	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe
PID 3648 wrote to memory of 536	3648	6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe	xdobec.exe

C:\Users\Admin\AppData\Local\Temp\6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe
"C:\Users\Admin\AppData\Local\Temp\6bc9a9f88a34ba2bcfb26ed8645db8d1eb7a911b0091cf9beb8d3f30ffa3543a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\FilesDM\xdobec.exe
C:\FilesDM\xdobec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesDM\xdobec.exe

Filesize
2.7MB

MD5
9764ae5134236acbabf5a1e7fd9a7c05

SHA1
0d1de0a83bd45f10e35063a5c621e265d521d955

SHA256
9b87413991c7396a06f8c4ed014a336d4a46159cb80ed25b511df7eaa6d62c2b

SHA512
bd031b75347ee87936376dfdece2d8c62bfe819e118002348add046b782869045dd8ee61c3f8e429b9c48db5bc8635e9384674c865e03b64104e866f9d1c9b91

Download Submit
C:\GalaxX3\bodxec.exe

Filesize
460KB

MD5
981e8452207fe37ba40f53a59b77ca13

SHA1
95a981e80402b3b4f0cb79e57a96d0a47c060d51

SHA256
2c3da1457c6cd07bc19561ff45b04315b19c1a5c2cf05ac1cb4a3ccec81326ab

SHA512
ea6f1c48e642fb44312f368e324139ef66724aae30ad92daa3abe864e06203c7c4335a257dc2200a647123af555deca6f6d8d5378ff90d2e27676ac55061a786

Download Submit
C:\GalaxX3\bodxec.exe

Filesize
2.7MB

MD5
699296b3cac0e76f625d522d5120ea1a

SHA1
c5b5ef92f39c66c1cd9d50fd4ecd88c557611f87

SHA256
e2489fd5592f25788d4559581f520a71bb3d2f48c2c503a5d0c7c34481347c61

SHA512
21b938a897409a78eb5294e9f98fdf4eb66d121bebb87e219f79e2b13b8cff763ec4109ce3182d5d0d7fc25ede6881845dc26772b3a675430478863f1520f26f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
5765d09ef719bd7cadb1c80180e9f85d

SHA1
79984fa54bf88647047ceb0f01125348161c14c4

SHA256
6d94d7012edd6979e5a70d99e6dfee06be35b53882393381f65830018254b025

SHA512
07345a35521f368cbfd2a07be64dee8703e551c43dea58ffcec0f6127d7b02767c74915b7ea13fd7c1e9aa83ca476a60dca556a98d58e1782022e51aeac667dd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
166B

MD5
55b4ad0044163973df0feb543d5c6b2f

SHA1
2d402abace07bd16e413cb254a8f5ff8cb40852b

SHA256
19bacf389939669836d9eb10397f34b0d2b6f00640635d7dc9e4a727c70e0b8b

SHA512
93d711a9c75054550688f87e309074dabc136f44d3572e115f3aceb882bac3463045e8ea1b92372a5c0290163c8527414b351925d0b63aa7ef82c156601e3e59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
2.7MB

MD5
9e8a9bfec3c48d1ef1d8af6de5638be5

SHA1
667f43f19d5245cffae90053b1d3a5e0feb0d924

SHA256
9c64a628eaccc3fee1bc9bb75f3760104123692493092663ffa5314556390973

SHA512
6d9b19246130247b7b243c70f3ef38e4eef7a73439b3f1ec36914d4a17e180af9ffeee3007dfd8d90f5357b5ac3abef7fecf79ed9bf64ad04ec008ae2260c4db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads