Overview

overview

7

Static

static

3

16e54b7fe9...bf.exe

windows7-x64

7

16e54b7fe9...bf.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16e54b7fe91396302b9d279b3320de8330367bbd1d041911525758f082f7edbf.exe

  • Size

    3.0MB

  • MD5

    37d2830a7169fb6c6e3930dced19f042

  • SHA1

    c808915b5c9584a85b8ae24e27236bc02f107ccc

  • SHA256

    16e54b7fe91396302b9d279b3320de8330367bbd1d041911525758f082f7edbf

  • SHA512

    eef0ccea3d5ce79821f32e03f3cc960621d6f69c7f30fff3aa12a19dca62a8ab1a192cea5c5502c2ffea9c9137ef6707631ce5c28e8ca5ee1803e925ea278779

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBcB/bSqz8b6LNX:sxX7QnxrloE5dpUpTbVz8eLF

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16e54b7fe91396302b9d279b3320de8330367bbd1d041911525758f082f7edbf.exe
    "C:\Users\Admin\AppData\Local\Temp\16e54b7fe91396302b9d279b3320de8330367bbd1d041911525758f082f7edbf.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2764
    • C:\UserDot0I\devoptiloc.exe
      C:\UserDot0I\devoptiloc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Galax5Q\bodasys.exe
    Filesize

    242KB

    MD5

    754d51d16a42b7817d51567b0c65c8ff

    SHA1

    ad54056aac00c04d4b689936bea6d71c7117b6cc

    SHA256

    7b3da9d434bf2870abe7b1c05f1a918524ca95476d6c0385536fa90487ca5583

    SHA512

    9e4630448c2902ba4d7761b42d5f8f227bf0474b60d661aa29539b13977b039616da93235000abc86228353abbe52081e4a91fe99498c512dfff57746546f9bd

    Download Submit
  • C:\Galax5Q\bodasys.exe
    Filesize

    124KB

    MD5

    6b1c01e351e3b4014246c7edb744f850

    SHA1

    2543ecface7f1f49368bb0d14d2d72a484122858

    SHA256

    78ccf17cede42dea83863c16dbe81e7035be5407abe2693ab684eb7ceda2548d

    SHA512

    ed5cedfd51f747c06923f400bb92943315dfcc37f9a51fbe696e7d7b60704b2e1c24fababa4c0150b37f5383f51f87deefa00a7b429a2fc42e8d2a1eae699080

    Download Submit
  • C:\UserDot0I\devoptiloc.exe
    Filesize

    15KB

    MD5

    10e6df3619bbbd1a2464d5000a56fbb5

    SHA1

    9080f324c059847c04fbc434d62d8ab2e06140a9

    SHA256

    e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559

    SHA512

    9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff

    Download Submit
  • C:\UserDot0I\devoptiloc.exe
    Filesize

    3.0MB

    MD5

    a95e37afa7c4245b007e5f1d0a004745

    SHA1

    e1e88d51aebc839da74d3c73c3fd6fd5d795858d

    SHA256

    c1889b006917fdcbdf6f8e3c56c7578ceb1ef8d38b6c3596344f4eb411e8e39d

    SHA512

    ffb14f195f1502798ca6b835d73eafc35d76848fb3d5ecf37721ee323ee174b3907d44043bdcccb36c933e6515e3ca26123cff1fbc559696623da09f84f805e9

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    205B

    MD5

    0f00f5c7bb2c52283c37316c641436b1

    SHA1

    fc44bdd006865658d62f6efc6a9a855dad59167d

    SHA256

    3334cc28c2cc74aff16e1e34669b1a50a65b4bb9926706a55c94fd509e740703

    SHA512

    7b8ca859de87366d388b5bcd4bead7c39c6a861aafcb63220d18c01f88ac0b210d13690910c35c2307d8ac0217ef2bb5f76cbf811661b5bd669bdedf88bed576

    Download Submit
  • C:\Users\Admin\253086396416_10.0_Admin.ini
    Filesize

    173B

    MD5

    fcb387fd7e20616e9d33fbd4ccd3cec2

    SHA1

    5643e97df1d87d191abe3db58c059bfb3cfa0c05

    SHA256

    9326bc8dcd70f6ed94ec8c5539aceb0c414cb1e13d18707b9de42c534be05dbb

    SHA512

    fea851dcecca96c74ec1d81b0df8d0119e5af3937c5d6275493a575174c5e4a2351570f87c034ffbba8cdd8fe2c71e6985c4036bb66ab510b6cb6db56bdf84fb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
    Filesize

    3.0MB

    MD5

    581d04970d85f07026aacd6bdf147a13

    SHA1

    fc244edc65d7a3da1fd49eeccc34f33a81a8d3c2

    SHA256

    27bb237eb51694d0c2870d5e43fce5c02584962bfe51ff1542044c9f97d75565

    SHA512

    8f38e5cae621ad43dc4914ae7b0774f9243b5ac17e684b82cdb157df857c3281c77eb09b0f0ece13cfe9ecebff206bc550449a210e2376afdcf4327d5720bc6e

    Download Submit