sharpstealer | a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141

General

Target

a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe
Size

393KB
MD5

2b22bd7790dfd1f241a512918e814133
SHA1

bcdb2f6cab3c32d0382dd8d09ee7ab8ce9ea037b
SHA256

a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141
SHA512

38e64215b9561267322e2724d0e1d994015f88c2b3b2e7fbe3fafc77cbfd92f17ef3fb994e8a8f1e3a020972241ceaf5f77a7888de1a81e019722566c9005184
SSDEEP

6144:p/SZwCDkBDKpVtXIoEpGy8Un02o/7U9398hBg9w5Jq/lJwam9erm7Tu1E:pDCYBDKb2Gy8Un02oTURSY06w1AT

Score

10^/10

sharpstealer discovery spyware stealer

Malware Config

Extracted

Family

sharpstealer

Attributes

max_exfil_filesize
1.5e+06
vime_world
false

aes.plain

Signatures

Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Sharpstealer family
sharpstealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	api.ipify.org
11	api.ipify.org
18	freegeoip.app
19	ip-api.com
20	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

pid	Process
2304	a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe
2304	a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

description	pid	Process
Token: SeDebugPrivilege	2304	a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe

C:\Users\Admin\AppData\Local\Temp\a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe
"C:\Users\Admin\AppData\Local\Temp\a5ef342482499489ef303c5f95a9684bff503a9c7c44b16572a4c7ebe60f1141.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE616.tmp.dat

Filesize
220KB

MD5
4792c952ce914d9a6a275947afa6cf64

SHA1
ab3f3477dc71fa2f7e0abeb4853d0437245dd311

SHA256
3d7e4d8d97d0916ee5f7dc45ad078015039d675d87f1e92638c376569d8dd8ac

SHA512
73b42128bd40c53683c4f2e4a89c227bb4a1876b3885c1fe2915552bc3c6ebaba383b82006e004584e1cdf526a4eda05cfc4009659e11ebe2940e08469db15b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE629.tmp.dat

Filesize
192KB

MD5
8ccb6c13863fb6e99ed9a29a95f273fe

SHA1
b809aadcbd64fc29edb0cf27fb223784563a911f

SHA256
6b5e07d7137e1d3bee13888a7e8c81fae36ef046c9c7ba074e5fef67e6a594b4

SHA512
635bd5e4a1f9c0bf4dd331912f47d65de52496ae4e8fd8de84fac2008064c5c07b60fc33dd318cdf091ad9de2d14a0ff326a95d14f8084f0e5abbcaa98c7f0bb

Download Submit
C:\Новая папка\Process.txt

Filesize
1KB

MD5
8d210b00e501213653b968da1fed3682

SHA1
7e61baf9650392cf2f39bcf49baa6835fcc07af8

SHA256
418b0ca6f1925108478908e9f86eecd2f7a4fb355ce535a32f698322f4a01a84

SHA512
8fbf707e3272c04c6758fb234bd89af5029b7f5cab0e91e856eaca7dfc8a156cc7429c69996071a6564de5f94038dc88bd5a9af3275f8538c89027cda1312532

Download Submit
C:\Новая папка\Process.txt

Filesize
544B

MD5
24a9b6c29abf486986231b7c81d875b7

SHA1
0b4d765e76d1b28f5fa41d71b4db8f6595ca8e63

SHA256
4fe436bb8303cdd3a5f9e436ec34c072bd328c467122cfc8803f479aecc99870

SHA512
130175ca4eae9eb882d9e3e5b9c0a38f78c2e32e8851e44aa5dd8a4f5d0ad1207b80319325806b70b2b51a8c1a68033c769f1253a3dd2b5b4b44aa8d2c11635b

Download Submit
C:\Новая папка\Process.txt

Filesize
692B

MD5
ee690de8de5ae4fc0e056e2d8a410976

SHA1
5c2a25de02fabed9d1f627664f37646c54aae9b5

SHA256
7dfec60f3633553b3281f4f42ea882b9115cb0b7d4839082733eede39413a2c8

SHA512
363e09bf9dad8e2d832b87263074bdbd84c0bb0e90c2ecb69470040e94c66a1160f23578c1a0ab0e9b20302e5d2d26411712a15939fc3c0406f3d4e3c6380be2

Download Submit
C:\Новая папка\Process.txt

Filesize
705B

MD5
a8155ebf9af9244f5b9fd4bb468b99b1

SHA1
a86efa850fd7e1a7b7e42e63fc6080c299d3eeba

SHA256
b6a5eedb340327271895e64c946bb33b67af77e6ffb4f66c37ec7ee43fa8b9a0

SHA512
09b4b336890ca089e56b9223036b7c58d202b670254aa15198c4da4d62cdba9f3de1d28e1354ff95f9c07e8eb6ce677fa321640b0565818c3738eb58d9663c48

Download Submit
memory/2304-0-0x00007FFE8AC03000-0x00007FFE8AC05000-memory.dmp

Filesize
8KB

Download
memory/2304-1-0x0000011DF8EE0000-0x0000011DF8F48000-memory.dmp

Filesize
416KB

Download
memory/2304-2-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp

Filesize
10.8MB

Download
memory/2304-57-0x0000011DFC3C0000-0x0000011DFC436000-memory.dmp

Filesize
472KB

Download
memory/2304-58-0x0000011DFC610000-0x0000011DFC7D2000-memory.dmp

Filesize
1.8MB

Download
memory/2304-154-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads