Extracted

• • Target

    BICRcX6Pvf5zpEt1BZ4IVrsNS65WQZHSWjh.exe

  • Size

    55.5MB

  • MD5

    6272da297e47e6a0918a0675b0be7267

  • SHA1

    0884932ef6630e48f53ff26651cc262308aeac96

  • SHA256

    28075a1b2ba7e1b7a6d39ac6f9cd7e078b0ab655ea4a91f70dcb781f96c8f567

  • SHA512

    01018117762fa89f1dccccc649c4ff4fcc6a1c50aee7b767c33bb3c55a7a676052772ce71e4a197eadb6d248108061ea7c153b341bcaae6239eebc55e800896d

  • SSDEEP

    1572864:PIkT34Cvud6nzHJZyxXXpMUUoqBSZo+i9j6Pl/0Hv7iGW3:PnTICvs6zH72Xp7Uoqozy40P7i9

  Score

  10^/10

  stealeriumdiscoverypersistencepyinstallerstealerupxcredential_accessprivilege_escalationspyware

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2