crealstealer | 97c9a5cab96e4fa1adcaf5da236fbb479d539d48392ade77efaa030d66d1f5c5 | Triage

Resubmissions

22-06-2024 16:01

240622-tgf6ystbre 10

22-06-2024 16:00

240622-tfz8faxgkp 10

22-06-2024 15:49

240622-s9d2mashmf 10

Sharing

General

Target

MIDNIGHT CS2 UPDATE.zip
Size

15.6MB
Sample

240622-s9d2mashmf
MD5

3c289b210cec73ccbe89cd978a282eb2
SHA1

08c4415cadb7ec44db4b31d2b249bd05c3b70e30
SHA256

97c9a5cab96e4fa1adcaf5da236fbb479d539d48392ade77efaa030d66d1f5c5
SHA512

5ddeea87f3da378dc1005d6386424fadfede575a8d10e2dd8fc25b4f5b77505c5459f07bd46fd5e77e51154b7a3b573c583c0c0f08b536c80a741b2819477905
SSDEEP

393216:KqYAzeHFgW7Azuf77Ma8tGWLkdh02ZgBSm+PN4twjFho51Gp3kis6t3j:Fz+Fgaxz71GGI2LZeSm+ld1XZt3j

Score

10^/10

crealstealer pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  MIDNIGHT CS2 UPDATE.zip
- Size
  
  15.6MB
- MD5
  
  3c289b210cec73ccbe89cd978a282eb2
- SHA1
  
  08c4415cadb7ec44db4b31d2b249bd05c3b70e30
- SHA256
  
  97c9a5cab96e4fa1adcaf5da236fbb479d539d48392ade77efaa030d66d1f5c5
- SHA512
  
  5ddeea87f3da378dc1005d6386424fadfede575a8d10e2dd8fc25b4f5b77505c5459f07bd46fd5e77e51154b7a3b573c583c0c0f08b536c80a741b2819477905
- SSDEEP
  
  393216:KqYAzeHFgW7Azuf77Ma8tGWLkdh02ZgBSm+PN4twjFho51Gp3kis6t3j:Fz+Fgaxz71GGI2LZeSm+ld1XZt3j
Score

1^/10
behavioral1 behavioral2
- Target
  
  MIDNIGHT CS2.exe
- Size
  
  15.8MB
- MD5
  
  09c540b93f5789a89e23ecf3f146f6d3
- SHA1
  
  5cdfb72485d7ed7ecf2fa88ba356bfabca4a2d66
- SHA256
  
  e8bb79dc1428186e6d5f892a4510b0834a3a270061ebff81982f5b9e4c859b8d
- SHA512
  
  16264666c1b7035f43237fe8a4eb24cfb9ef3a3febc7ebe1c49eee146b7e9ae6ec1d1a5296d08f71e28936f3a8f5b1f8666dd2ee17c9ed5264ac604f790eb5b1
- SSDEEP
  
  393216:bUiIE7Yo9+4uOwxHi+2ohcyLkW+eGQRe9jo7BGcGkaJKt/WoAfL9:R7r9+ROyHiRyc0kW+e5Re9MvpeL9
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3 behavioral4
- Target
  
  Creal.pyc
- Size
  
  126KB
- MD5
  
  07b4276b2cfd33972d53fbac3371981b
- SHA1
  
  89dd5c5b0ec049b1d079740061dfb5a179f73880
- SHA256
  
  7a80bea513ebcf6cc9482a24dcccd46e53fd17f68aca7072b092cff7eb2839ab
- SHA512
  
  6d326ba8d6c6c19bffdef5c5791fb5a55c5e1202f6916b30c7bc4b3372e38344cbfc05c6e5bbaa4b141e4649e0e6e73a9c7474cd5094e7c4c47cce0805a9b795
- SSDEEP
  
  1536:kr9aqMamgphoWdUeOPZZ4GQmGwWaMIwk/JsVAVMRSlxXDEJ0ZVRW5D9Kv1X57mGm:kB7MaNdU8dQ/KS1WXINLsnN
Score

3^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6