0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443

General

Target

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
Size

3.6MB
MD5

1a9d75ed0b70622225cb505e217bac09
SHA1

eb431b016cbfbb61223d4e3a56419cc155df224c
SHA256

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443
SHA512

a540169f029f405f2420c91230a6ba626a37d3f64399c61dd89dad234236abaa3587ffd3c1e0df826e54da4acf533002ba103f6bc4931dc7cdf69543959e6ebd
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBmB/bSqz8:sxX7QnxrloE5dpUplbVz8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

Executes dropped EXE 2 IoCs

Processes:

ecabod.exedevbodec.exe

pid process

2976 ecabod.exe
2616 devbodec.exe

pid	process
2976	ecabod.exe
2616	devbodec.exe

Loads dropped DLL 2 IoCs

Processes:

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

pid	process
1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocM0\\devbodec.exe"	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZF\\dobdevec.exe"	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exeecabod.exedevbodec.exe

pid	process
1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe
2976	ecabod.exe
2616	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe

description	pid	process	target process
PID 1992 wrote to memory of 2976	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	ecabod.exe
PID 1992 wrote to memory of 2976	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	ecabod.exe
PID 1992 wrote to memory of 2976	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	ecabod.exe
PID 1992 wrote to memory of 2976	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	ecabod.exe
PID 1992 wrote to memory of 2616	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	devbodec.exe
PID 1992 wrote to memory of 2616	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	devbodec.exe
PID 1992 wrote to memory of 2616	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	devbodec.exe
PID 1992 wrote to memory of 2616	1992	0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe	devbodec.exe

C:\Users\Admin\AppData\Local\Temp\0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe
"C:\Users\Admin\AppData\Local\Temp\0d9b238954b8fc571ce5fb05e3287bca2ce57f678cb8a4464d798a007d8df443.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\IntelprocM0\devbodec.exe
C:\IntelprocM0\devbodec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocM0\devbodec.exe
Filesize
3.6MB

MD5
95bbff20392c94497e75c77c06ff28a0

SHA1
76e101ecabf866da885a790ce220eb4f8aa740b0

SHA256
4d488e6ea9d4549d39961ede43118973f1bd12dd66f45af2d4eeafd8e3b6f083

SHA512
b17938fed0bd5328e4f744303d874d70398b2a46f280f22d04b966e85ca5b3e71de88d373463e5fee43681106bf0aa267f5813adf8642f3135516422061faa67

Download Submit
C:\MintZF\dobdevec.exe
Filesize
1.9MB

MD5
1915fdd937da72ae64b0e4efabb29568

SHA1
e306db7d90fae6039909a04ae7e257fd803536a7

SHA256
fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9

SHA512
fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c

Download Submit
C:\MintZF\dobdevec.exe
Filesize
3.6MB

MD5
6d565ebbf14ae6fbbe6724852ca17ebe

SHA1
7b68c5a4ec9a5c7e0378c0905df368361ab590d1

SHA256
f6e25aa3a0f3fb44100f66c8c8e06a0ecb2bf2e18ae0b7b9ab0a59b62a79692c

SHA512
423edbd71d4c4c6f62dbc3d801bdff6ed5ca7478b71a33575a644a732518dd26fae7f5602f4f93e5a9e35fb0b77ce2c4859efbb9c3f5ef1ba9f7dcaa31d0feb6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
173B

MD5
5ab7dba38017a892697acf02aeaeb500

SHA1
378f167ef30898b02b58b2eff953206964172400

SHA256
c35b2bbc87eb9f63fb94867927cb3e4daa30a60ef91569775a18a04ce3d57ecc

SHA512
d46d5f055b1fb7b47850bb3f1f0b19e9b4d8a9f59af4b2dcd4fe0ef3b1f8a41bdd10d92670020debaa73543804b41413d58c1278a1aee9210fa3b7dd26eb0b6f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
205B

MD5
269a88b76fa0dc5ebea2b51d091c3f82

SHA1
443921e9e4a6d3b8083c610b6ec42f5edee04352

SHA256
0e32cd46d578eb753c5a7a97c298f1a742808b82983d774af8c0c8e8d8ca1889

SHA512
983b14f8bcd5f885133c236cf9ddd161688e977ab708802f327026994dd5733685c1f45a74392ae53fb20049566f352c6acfa5fe460b0b9ec72f3a0c8ed09afd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
Filesize
3.6MB

MD5
234b7d7181ca20095493cbab022a1606

SHA1
f06a44e02b9174e1a19500ef81ae7744a74dddf0

SHA256
86f21d5a8950d60f1c451179ee92f2eeac5f84bd1c848016285887f59916b251

SHA512
ce0708b2cf8e72e4e5ec1eae86e7976df557a3aca4d01fec126fb66bb61d202d060e4d7900569798ee8c54e7524ea7fda8a794a421ff4fd92a08f8cca3a1b67b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads