cc97b59379bc6eafe5c5c9dc66f16d4795270e01dce613652359bc852ba0665a | Triage

Submit
Reports

Overview

overview

Static

static

1

bot_start.exe

windows7-x64

bot_start.exe

windows10-2004-x64

Sharing

General

Target

bot_start.exe
Size

2.5MB
Sample

240523-dmbwesbf7v
MD5

62dec8c537e3aa76b294ab744b20d245
SHA1

1f4ec4852cd84d32a0d26ba0e163a373811eaebd
SHA256

cc97b59379bc6eafe5c5c9dc66f16d4795270e01dce613652359bc852ba0665a
SHA512

f47bbf3260f0124ec947b3a37ce316700481a8c4d5d984c9012df85673eb0d2c8777396e5a957cfc900ed509045e50d196558e931a84df146115e950abd8f6a7
SSDEEP

49152:SNkG6I1nPFf56dv26ot3VwBtF+kze3xqH1Hm4I6qxOli96Jyn5tzEde3Yx:S/fP9se6ot3VwBtF+kzeQHMdLcK6EtzY

Score

10^/10

execution spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

bot_start.exe

Resource

win7-20240221-en

execution spyware stealer

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

bot_start.exe

Resource

win10v2004-20240426-en

execution spyware stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  bot_start.exe
- Size
  
  2.5MB
- MD5
  
  62dec8c537e3aa76b294ab744b20d245
- SHA1
  
  1f4ec4852cd84d32a0d26ba0e163a373811eaebd
- SHA256
  
  cc97b59379bc6eafe5c5c9dc66f16d4795270e01dce613652359bc852ba0665a
- SHA512
  
  f47bbf3260f0124ec947b3a37ce316700481a8c4d5d984c9012df85673eb0d2c8777396e5a957cfc900ed509045e50d196558e931a84df146115e950abd8f6a7
- SSDEEP
  
  49152:SNkG6I1nPFf56dv26ot3VwBtF+kze3xqH1Hm4I6qxOli96Jyn5tzEde3Yx:S/fP9se6ot3VwBtF+kzeQHMdLcK6EtzY
Score

10^/10

execution spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

executionspywarestealer

behavioral2

executionspywarestealer

© 2018-2024

Terms | Privacy