462167716f86f490f7e602eed5f632fd85641d3b2114e6e31d6e96989c4f2dfe

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/Toolbar_Eazel.exe
Size

833KB
MD5

60f696dcb8f5ac9d8f27ef996d176c61
SHA1

45a53ee8ea05a8db81a905800b024fd4d40d2281
SHA256

bfba0fac599f252652137426f56b095685df45d7b64dcb4d8d8d510b741b3a71
SHA512

01e8bb3b538ebd63dcce3fa9bc54bcdc39b9591203954f70281a6ffa07f543594a1b17622c11167b2827e5c51759db32e56c3d09709d7c0131999e8c6b889e50
SSDEEP

24576:qbs2wk+y19xV3XZ1/wB9mMj9kYjZrGGBv+zEJSEZ/:q/FDdV51/w/kQJ+wdZ/

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2464	Toolbar_Eazel.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar_Eazel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Setup.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1948	Setup.exe
Token: SeTakeOwnershipPrivilege	1948	Setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1948	Setup.exe
1948	Setup.exe
1948	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30
PID 2464 wrote to memory of 1948	2464	Toolbar_Eazel.exe	30

C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Eazel.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Eazel.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\Setup.exe" Files\Common Files
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup3-9.0.3.23.zpb

Filesize
60KB

MD5
5c3f3322e2c2b9a2ba5e2c92030c2f2b

SHA1
c51a24a2520c7559b40b204832b0ea3b383c2eb2

SHA256
d889214c0c295373121aef32b8c2c50c8c20530e3b3aa1a74ffdd991ccb37168

SHA512
fefc62b8af19a38e14d9077163afc935029ef4457c228a0d357e49ce7e9b58319d4b6fa38a38c2adb0d005f15c3f304ae76d81ca838e430f8e97bdc840c148d4

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\setup2-9.0.3.23.zpb

Filesize
142KB

MD5
4d507fc2ad32d1d8a8e74aaa8c01c1ca

SHA1
6fe219d6c97c2482e386de8618b5814a04eef635

SHA256
a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d

SHA512
db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\Babylon.dat

Filesize
10KB

MD5
8e6b33a7f03e2693a614002587a35ddd

SHA1
c7508aa4225cae079526f90d218cb1245b996667

SHA256
504baa961bfc83a0da0a7b5ab45f713a81b06642602f3d4c032fae8a1391be30

SHA512
ef8891b1183a8c19afa4c41cb9a443ebda58f5b82b372b25c0b7e7eacf32b8c9c8d8e0ebdd946b860b111431ed5e613db9c141e66f398715e4000770834d2e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\Thumbs.db

Filesize
18KB

MD5
84a44abf780d85199cd29619445291e2

SHA1
db133cde106611e1ddca55e1288f251cf5b53f65

SHA256
3fa26e1ac3f817664b0d5e379911533aaa5acd8965127725d0e88478c31f776d

SHA512
825e5f3f01a0e5e49d6eaf0e6267d1ee7bd2a37cc424ca5786844e746fd4e240b97dc90c2bba06f642df6f2675c45e80263c71d684c9df56d8442676cac66b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\common.js

Filesize
3KB

MD5
61326fe65b7ab277221d5fd3c3d8154f

SHA1
292d39c304209e0c87cbab00f8c5c37fcd0b1887

SHA256
055cc4086e5c6f5991aab46999cb147c155a1b4bd4675b1fe673ccc8527dbd07

SHA512
1f77de3af5266342429baf3e26ac71b5d476026213cb2a06f74b37251e4ba442f468b49c5691c4a0563373dfe4274bd606cf8bbb5033bacc2cd665a31022b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\eula.html

Filesize
62KB

MD5
43f3c7282a5cf225a4c8ab580309f27d

SHA1
7b2f6df42893c42b404cdf2bf0b020e83ac58075

SHA256
1750ba16aea8d20b9449a696b0fb20f6c9c5403daed15a6c118ffdcc71b77b47

SHA512
7c24fb911d56bf6a2481a2d1800bb0e3c7445178eb39cec15181a325f07b462b8b936495f989918adc52d6e550665afdacf69ae2b2e3711a9b1abadc0ae34d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\page2.css

Filesize
2KB

MD5
613f21fd9be71493f7f0f7f289faba46

SHA1
3085884627bb5cbe1af9c29e9acaf353299b192f

SHA256
dc7e17ccfdf805ea69c553abdea2b6a86fd27ec68d58f759b9a85e5a4be98e17

SHA512
3be478d24f712d2b4ca3d9142fc446986426290678ddc89518155e7c46a6bae5659b9a748b30eb26ba20323c9d9a2c67e7dfe770d0689ab1548a9a48568df8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\page2.html

Filesize
3KB

MD5
652dc84986ad79e823d07a0503f39fa2

SHA1
bb209be48b2bc746ee0f600fb18027fc9dd96b57

SHA256
18e1f4d19a0caed84851fbc3d7b1ad84da141b0b9553cfb7ab43671ad5bbba75

SHA512
abb9768bbbfbb88be990b7875c1bf93552567a736857cd97382a9c9c5837dad532acb9376071348b6f7a4021519d0a2b612c5120fb20efb257cf382d15226353

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\page2.js

Filesize
3KB

MD5
574d29f591a6c8e41526740aef35aef5

SHA1
16fd09104a40386b55d7a241c34841e1f881b346

SHA256
b1a88b9f78cb51b78b0abc00706269540cbddd4d22d06ef597c30aeda3f1806b

SHA512
86a1907fe6f9729eb6fc8b91a9581f071a608e2b808a49419efcd5930ea9408f45af2faeba92aa174c7fa680d014eebac001637622e0157065d4b898670c82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\page2Lrg.css

Filesize
1KB

MD5
3acbc4a0b720fd5daff11530ae9e0295

SHA1
23031d0a31bc05de190843a9b0d8b3745c796385

SHA256
59b5de1efe45a796fab6130ee94db0dc13be896ab798e126cb2c5889aead32b7

SHA512
abc4815f7df7f65c57c61facd568616c9b844cdfea8d12ae819987dcec256d82c7ef040c1df24be2ddef0b42601f1a8e22755b7320d1fcbcee0dd94055092b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\page9.html

Filesize
668B

MD5
69d63df890d8445501ac73835d7966d3

SHA1
f385c25afc2b5180e7f0c34b2de8089c68f654f7

SHA256
041569cede5fc91021a788647e4dc1b4a1c3f925f2bbb8857dce0930bd3838ef

SHA512
879735c74bc6b2467ce2f5c88ff755191d781207fbdda9f65f4b0f032ca638c96413f049607bbe65672d51254456f159bc9f95a3fe9d67234087c046fd9de128

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\title2.png

Filesize
44KB

MD5
a9e1f1f2b2628c6ee61c1e11c7288baf

SHA1
48b2f87ad6bc5d7cdc22500df46a967acb077cfa

SHA256
c336644e20a898fc28b216d91908c9ed4b716f572c0b06d5b3a5a68e43c6aeb9

SHA512
3027aead5dc0a2de2dfe7bbdaefeac1dfc1829db1edcd60493f51bbe3d3f75363b938f60a2cc6c46dd9992d9c33df5f8ab7a62e4235ca0858358cb73ad2dc514

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\HtmlScreens\toolBar.jpg

Filesize
19KB

MD5
56dc3cb42b46309e642c15167003685d

SHA1
045749de2c1492e5dfc4c44f9eb6c0feefe06b3d

SHA256
bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1

SHA512
5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\SetupStrings.dat

Filesize
57KB

MD5
19f47f9cab41a5e07d49a4171748b598

SHA1
d30b022c9d85be7384f26f335e01e56d2ef1a9e6

SHA256
07638d54048adfb3229fbc6a56a8b7ff6f3a8370bf942306ecb5352de64c3e86

SHA512
b83181ffa46ac732e6c4aabcc26b77ee594c1381311ddde3151b7e740e80c07ef84c5910e535696b4ccf8ddb11b1c5b8b3d387ba08ec346bc375c0d2f490dfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\Welcome.html

Filesize
181B

MD5
60cc99484aff4518a7af6b1930b05a79

SHA1
b84b636c034a30734b800ca5bac6172718b2c3c9

SHA256
6f1b2c556285483bd71ac0cae654713e2433034783a1e0924a416989326f6c15

SHA512
2e6d22c885b3115a5edc3fa6c3fadb6a32002735b5228640a54593febbd696c6eca9188a9de79eebb88874d68287365a5f50ec75a933032fcce3c351546b961b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\bab033.tbinst.dat

Filesize
236B

MD5
1ee8c638e49ee7137607722768afc5a2

SHA1
8719d7a498a49b042cd6fc411cac6c44f3c0f43a

SHA256
1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e

SHA512
2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\E7DB1F00-BAB0-7891-8D77-BD1334535F5E\Setup.exe

Filesize
1.7MB

MD5
f4ceb84972322a3a32d489cb0f41590e

SHA1
953d44f4bf59b02be6e35587daf60e63463e78c3

SHA256
4fe0efff79c8e0f6d86d9cde54fec01e90ea6513ea772afb12dbc5d5b736787b

SHA512
897b1b8c3fb457a154330ae335c36e458548ec7b6471143c5fe58c35abc87f420f387a36006ef2dcc3fc5e0e5e85bdfacf0e757797b97484f47aff7ca51a47f7

Download Submit