3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb

General

Target

3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
Size

3.1MB
MD5

daf1916511811c5c9f879a1299141822
SHA1

cc2fcbfc3ebbf57785df5fe3f8ed1874622e3e04
SHA256

3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb
SHA512

8ec1ebf6afca7ec4596fefe87837df7a931373cfb023cbe62a8776c4ddb84df027c1e07a312b55d3a6ca8753f07f0300a9408e3cf025b3f31ff573720e033c5d
SSDEEP

49152:DVAbw8VyRPkVwSdyKE6a8anqApzEVZnk8m0Uf89+zvi1QXsy4TpM+DWUl+n1aso:pA7VyRPS7MLq4ykF09+riyXWz6Ha

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1156	setup.exe
2612	setup.exe
2740	setup.exe

Loads dropped DLL 3 IoCs

pid	Process
1156	setup.exe
2612	setup.exe
2740	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1156	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1156	3508	3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe	86
PID 3508 wrote to memory of 1156	3508	3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe	86
PID 3508 wrote to memory of 1156	3508	3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe	86
PID 1156 wrote to memory of 2612	1156	setup.exe	89
PID 1156 wrote to memory of 2612	1156	setup.exe	89
PID 1156 wrote to memory of 2612	1156	setup.exe	89
PID 1156 wrote to memory of 2740	1156	setup.exe	91
PID 1156 wrote to memory of 2740	1156	setup.exe	91
PID 1156 wrote to memory of 2740	1156	setup.exe	91

C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
"C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.60 --initial-client-data=0x32c,0x330,0x334,0x2f0,0x338,0x74b41b54,0x74b41b60,0x74b41b6c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2612
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe

Filesize
6.4MB

MD5
607fb47ad9d20bb16f90e4a38c93bbfe

SHA1
578ea8b4bd0bbd32114bfd61910118c3d9cfc355

SHA256
8a82ae5c857123cc6972b93828f3a6202c0db4d325ea6d5b1e36dcfb290c1e09

SHA512
23470d0aa5989132efa1fcd4b1d183374384e3b75249910c08e22d2fedf315f084028b7299d6f6c0a5230b2ec78179485d0f187d0a87f710d25f1eac81939e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408182338129691156.dll

Filesize
5.9MB

MD5
1e6485e90130bb0cffd2ae2ca7fef2a2

SHA1
b9c01fddb3921b6f56d8d774eb0364f7024428e8

SHA256
907cb59383443ce62fdcd2eb90e4bf32cf3a0de6078e708f694dfc7bd7166b5b

SHA512
e28ec73e1465591827f092b71ab740a8de0b7ffcf5af0b3e4c1c8be37f16f1a87ae4fdfe23c25a305741a5aaf30fd2aab77f55061eb729f0dc5e64aef3dd6527

Download Submit

Analysis

Sharing