Malware Analysis Report

2024-11-15 06:38

Sample ID 240604-bbxmmsgc95
Target a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56
SHA256 a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56

Threat Level: Shows suspicious behavior

The file a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Enumerates connected drives

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:58

Reported

2024-06-04 01:01

Platform

win7-20240215-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe

"C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\pdl11CC.tmp

MD5 1bc225e0c1c2f54cc877b654ccf04684
SHA1 66b37d20f580e14efa3312821aa1b44eccd0f1fe
SHA256 19486800845b74be3487f1319d6f249ce85e8b47df586dd8e9b9cbb46875ae93
SHA512 9e4604f5cb06c498b53ac91eb8b37e923dc5d6629984b77ecbbc149abac5c94352cd8ab64488a3516083a39988282f0fb5b7fc2aa5e81426685a5a039e96f283

memory/1512-4-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-3-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1512-6-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-8-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-10-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-12-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-14-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-16-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-18-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-20-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-22-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-24-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-26-0x0000000010000000-0x000000001003A000-memory.dmp

memory/1512-30-0x0000000010000000-0x000000001003A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:58

Reported

2024-06-04 01:01

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe

"C:\Users\Admin\AppData\Local\Temp\a1e01349b3bdae052719f4af25038dc1b6a1fb20f701c142e4153c8b9261ed56.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\pdl34DB.tmp

MD5 1bc225e0c1c2f54cc877b654ccf04684
SHA1 66b37d20f580e14efa3312821aa1b44eccd0f1fe
SHA256 19486800845b74be3487f1319d6f249ce85e8b47df586dd8e9b9cbb46875ae93
SHA512 9e4604f5cb06c498b53ac91eb8b37e923dc5d6629984b77ecbbc149abac5c94352cd8ab64488a3516083a39988282f0fb5b7fc2aa5e81426685a5a039e96f283

memory/5112-5-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-4-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5112-7-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-9-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-11-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-13-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-15-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-19-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-21-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-23-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-25-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-27-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-29-0x0000000010000000-0x000000001003A000-memory.dmp

memory/5112-31-0x0000000010000000-0x000000001003A000-memory.dmp