18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25

General

Target

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
Size

3.0MB
MD5

014d87cbcfacfd695c7080e404297be9
SHA1

d15e7d4f342b7a8d12a935c9f4f2b8a6f5092665
SHA256

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25
SHA512

206285e2ccc0b6d832812f7578f46df6447c9ccedfc08ef0f280ef751c5f96a92849b4073bc6bba40520e4517042f35632680d5718441b8530533d318cdec607
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBvB/bSqz8b6LNX:sxX7QnxrloE5dpUpobVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

Executes dropped EXE 2 IoCs

Processes:

locabod.exeaoptiec.exe

pid process

2180 locabod.exe
1272 aoptiec.exe

pid	process
2180	locabod.exe
1272	aoptiec.exe

Loads dropped DLL 2 IoCs

Processes:

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

pid	process
2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBF\\aoptiec.exe"	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT3\\boddevloc.exe"	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exelocabod.exeaoptiec.exe

pid	process
2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe
2180	locabod.exe
1272	aoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe

description	pid	process	target process
PID 2928 wrote to memory of 2180	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	locabod.exe
PID 2928 wrote to memory of 2180	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	locabod.exe
PID 2928 wrote to memory of 2180	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	locabod.exe
PID 2928 wrote to memory of 2180	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	locabod.exe
PID 2928 wrote to memory of 1272	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	aoptiec.exe
PID 2928 wrote to memory of 1272	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	aoptiec.exe
PID 2928 wrote to memory of 1272	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	aoptiec.exe
PID 2928 wrote to memory of 1272	2928	18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe	aoptiec.exe

C:\Users\Admin\AppData\Local\Temp\18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe
"C:\Users\Admin\AppData\Local\Temp\18fde7c359012a55501705f28ea444265f8559b7eae163734ea5fa676a1aca25.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\UserDotBF\aoptiec.exe
C:\UserDotBF\aoptiec.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1272

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotBF\aoptiec.exe
Filesize
3.0MB

MD5
fb0c7af6d211ab92e4baa54c20f76ceb

SHA1
d68e238c040f439964be19e351f2a7c3b0ad9d96

SHA256
52b239c0d8a5efdf4e9e72aa99d34a6c0a508e79d58822240e5b84cb6d66abe0

SHA512
be3ac289dadd7592db991d58971df8b45f15829b60372bc14ac100349a153eeae0dbb0b9148b9d88a1e42e0f2c75e6094af4e0ff832d08d13abbbfb276a8ddda

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
171B

MD5
b0ad5acae53a7dc80d1d5294f01fa4bd

SHA1
b78e8b7565c72165b511dbdc14632f7443715263

SHA256
eb6c234cb5fbc75c97042c77b746e5b67d988852cf9d75934b6a84e8592a13ec

SHA512
4471935cfd2bebb174c2832ab7c76bef75b3686a80e43ea4bc58cd8d2cde0b4477cda67fb1ae782cc9ac583b32395a1dd3ad4b96c824e345fad1bb088ecc27e8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
203B

MD5
061f41837b44d210d8aa7e841b26ae20

SHA1
cafbc7aa5988782f68434633f248c4f74e026f08

SHA256
4b8ff1956e7bec2d2ba319be249da7ab5236e775dfbb2cd81bfc00dfc22a0a44

SHA512
c3b73695833aaa233c80a80b9568e236871bc3ad0aeaa860be86629f6a1cc9343c6418f36018b587566c5e8bca6fbef8176315ce69eeb7caf6c4d8461b09463d

Download Submit
C:\VidT3\boddevloc.exe
Filesize
3.0MB

MD5
88bc12ac7447009ff0ae804bc3584de2

SHA1
4884d653949c31477d50b5bd992da93247f2c0e8

SHA256
519060b681f858ceb63057295f81f53a0081e5bdfcd7e3f5bb41709ecefd7a31

SHA512
be2742514405e5b20b87164bccdf0930f1b6c4f9350bddc9b2a14f17c7bb13ba6274fe1631d1c03f63f3d31bf007cdc19cf9968607d1d06cd4a4d12f27435669

Download Submit
C:\VidT3\boddevloc.exe
Filesize
3.0MB

MD5
3b7726a4d4ca84935c46be02f23685c9

SHA1
b13e0be179544bb822db9bfc4064a14e9bba10fc

SHA256
add91b692610ab114788df5a686c5e69fbd07ed01c3b41d10db6e0e949767c73

SHA512
2f9ca014c1ca3375abb5506f2db0a768acb1719ca25de1dc985666d4f45a37ad579060f1f6fd800545438b10c5709bde03b0ce794ce952389aa67a84a9226743

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
Filesize
3.0MB

MD5
222745ee0b2127acd5c98b493190a743

SHA1
435095b8c2c0faacd034becba3db11a34fbf15f2

SHA256
8bfaaf650c4b9786b93a506d5a4ecfa769a6e76382531788a3fd72c7e3812199

SHA512
c16e53726bd4c9e10b532643489721c248f73531c9b41ff2d6c5031789618a0638f818d387e1d422cc6ae2f7ce916e3a2e80066b721ce7858c56b90344cc8795

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads