Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
submitted
17-06-2024 16:44
Behavioral task
behavioral1
Sample
7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe
Resource
win10v2004-20240508-en
General
-
Target
7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe
-
Size
396KB
-
MD5
51c1bc9607fc8496a6aa6c8613dd022a
-
SHA1
6d2a4f6056d51ae6b6171b42cc16713c5f6bedb9
-
SHA256
7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f
-
SHA512
274b0c18c57511d46d160fe675f3d69b7fed716ec4ccb81b89ba3b751fa1f8b014416b7af2e7564fecf2f88bb27e143c1b61bd9097db30f29f689c4ad9b5002e
-
SSDEEP
6144:bbODqpwPEuxGH6OrwX3pwzZwEq7EtE6rBpgw6Om92BUz7BJwaPEqrPlTu3q:byPPDLOrwX3pwzZwoB7M2uvfwARaq
Malware Config
Extracted
sharpstealer
https://api.telegram.org/bot6948010821:AAEJfl5iNgu_Z6rr2SH3SeV22wpex-Pltwo/sendMessage?chat_id=6841140670
-
max_exfil_filesize
1.5e+06
-
proxy_port
168.235.103.57:3128
-
vime_world
false
Signatures
-
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
-
Sharpstealer family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org 5 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1928 7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1928 7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe"C:\Users\Admin\AppData\Local\Temp\7a16c2b2c3a81b375c1fb4552dd32bc2d3a84aa1d6e644cd20c07ad220c83e5f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26