Analysis Overview
SHA256
e28e65b42f2596dc34c9845728e4ee6884d3e42b20397a9c4fcbe8cd63f8c193
Threat Level: Known bad
The file hack-browser-data.exe was found to be: Known bad.
Malicious Activity Summary
Hackbrowserdata family
An open source browser data exporter written in golang.
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Unsigned PE
Browser Information Discovery
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 18:20
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Hackbrowserdata family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 18:20
Reported
2024-08-25 18:20
Platform
win10-20240404-en
Max time kernel
22s
Max time network
17s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of web browsers
Browser Information Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\hack-browser-data.exe
"C:\Users\Admin\AppData\Local\Temp\hack-browser-data.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.0.297651966\1159656960" -parentBuildID 20221007134813 -prefsHandle 1568 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb132db4-2a9a-467c-8d16-194cbc93ba61} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 1764 20efc1f4e58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.1.116504047\591854436" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f77ea730-f0b2-4c59-b672-2c47e0e0fd24} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 2120 20ee9d71f58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.2.1993291175\523370120" -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2912 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abc61f7c-d0ab-4843-a0a7-9b485b0fa6b7} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 2776 20e82399358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.3.657541337\652506835" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3396 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26790062-fce0-4770-87d1-94e3ae821b32} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 3408 20e80972158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.4.1723205267\437920672" -childID 3 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f4e2d81-3285-421b-a95e-0687146e2ada} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 4264 20e841dce58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.5.489251939\1775923981" -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5076 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e29fa7d-fdeb-4b65-b8fe-f4c9780448d3} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 5008 20e84518958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.6.1048838481\8887943" -childID 5 -isForBrowser -prefsHandle 5096 -prefMapHandle 5092 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f72fa0f-7882-4efc-a9fd-8ee54666b926} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 4860 20e84fbed58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3696.7.1291295896\1288412971" -childID 6 -isForBrowser -prefsHandle 4888 -prefMapHandle 5008 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1360 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80595258-1d73-4b6a-8f31-c1152895f49b} 3696 "\\.\pipe\gecko-crash-server-pipe.3696" 5192 20e84fbf958 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49856 | tcp | |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.162.71.54.in-addr.arpa | udp |
| N/A | 127.0.0.1:49863 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\a760aa01-029a-4af2-95a8-8785afad7f4a
| MD5 | b554d27f9bc0e3c3d94ea61c5d043c77 |
| SHA1 | f3c8f35ce4cb9ba634a720020853849ac215babb |
| SHA256 | 417ac2fb208d68620fb86607784e3eb7f8fabc1ab65c802257381539827c6a12 |
| SHA512 | 85bb223592926d8d3c7279f7327a1572e0a0b3162f4b4a5265e3fc3b29e5db5f5c66d1772a0808acd5873591c03ccbc0182f089de65ee8eff89001ff2c473322 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\382316be-bcae-41a5-b9b1-eee4c383dd0d
| MD5 | 60b6441f738b1183520eee39ae278430 |
| SHA1 | c4fc2645efa09fda1fd1ca1eba6a034cbe29edd9 |
| SHA256 | afa3e8d6a4e2f4e6b84581591950b915901c31e673db62f017f24574e83a49a3 |
| SHA512 | 3f190003cd972aceccff60df8e4bdd17a957efcfc6415f35dfb1d604df04037e37ee19a8b038c65304500c689b7797188e0cfb6c9f74d8b644d07799f1fd56b2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
| MD5 | b3c9da48b05f14401ec03e44bcef9ecf |
| SHA1 | fc5a85dba19c028234e358f2ebeee5eb90e6b7dd |
| SHA256 | 9e98eaac931bb1dcbed0c0c318caf8262d9e8bfa5af31d34fcd280633f33b5fb |
| SHA512 | e5def80f7e2ee512b46b2dc96472fe2ca24608d0194bd1a132185f90b428767b9641853e53bd3f8ff9479fdd26a6ac93f22f719110513234da6b89b2a32f6101 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 3018d1aad8385b734068dbad441e344e |
| SHA1 | 2a3925bc92ec843db64b6db2cd6fe18ccf084a86 |
| SHA256 | f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88 |
| SHA512 | 7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 84dc6463dce41ab5f0ad0198e47b1c70 |
| SHA1 | 1d60d4092c937717cee80d28d976ed3f6bb35a9b |
| SHA256 | 11cddc80c66c48270b158fd77d6823305416220cc72e44a6247abdd412cf0df0 |
| SHA512 | 2c27bd607e827e7afd79ed42e54671f236c588568774d3843c23509f5a5647703f1da15fdde4197484c2c81d4eb0f9575a33dfc804bd344dbebe4d59bd42e2db |