fredy | b7e53f4caa02a64fa0335166f03a9f45554481dbd62442046143ae9b8550aa33

General

Target

fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
Size

1.6MB
MD5

f3ec92776e756b393a09b1af72f697c8
SHA1

edc146728bc006b76094dd1d21a8217e612bef0f
SHA256

fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607
SHA512

32ca2c0d48427d5890e3e0af419f554528d9c29b143f4fa19369298a05d05be393914cb602e9069735f8c24793ae2687c773e11954246313f427d0f3135a065d
SSDEEP

49152:C85F9jLrmRlBprqFOFtTEO+iaFsvVjrB:C81jPsl32FOrEnF

Score

10^/10

fredy credential_access discovery spyware stealer

Malware Config

Signatures

Detects Fredy Stealer Payload 7 IoCs

Fredy Stealer is an infostealer written in C++.

resource	yara_rule
behavioral2/memory/5068-0-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-3-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-2-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-1-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-4-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-15-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy
behavioral2/memory/5068-63-0x00000000007E0000-0x0000000000B19000-memory.dmp	family_fredy

Fredy Stealer
Fredy Stealer is an infostealer written in C++.
stealer fredy
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
2740	Activator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
File opened (read-only)	\??\F:	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ipinfo.io
18	ipinfo.io
19	ipinfo.io
44	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	5068	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Activator.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2740	5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe	91
PID 5068 wrote to memory of 2740	5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe	91
PID 5068 wrote to memory of 2740	5068	fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe	91

C:\Users\Admin\AppData\Local\Temp\fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe
"C:\Users\Admin\AppData\Local\Temp\fb240f8a4aa481c107c8dc11f1831558f109838f7e887247383fca779f562607.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\Activator.exe
  "C:\Users\Admin\AppData\Local\Temp\Activator.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1104
  2⤵
  - Program crash
  PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5068 -ip 5068
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Activator.exe

Filesize
194KB

MD5
2b2204c85f334de4695369f631926664

SHA1
f2704bd77341c26f3217cde9d9458b072a550f34

SHA256
69db6b1262af756060efd63ca54a933cbec740ac193221a88bbc46df9ac53de9

SHA512
e7cfd3d263cb93e06470279fc22fac243080619a12490ba2c3daaeda0cf6b74da095129d38db3180b1c3478d30f96ae8701bb684cca44e40993efeba620aa019

Download Submit
memory/2740-12-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/2740-17-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2740-16-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/2740-13-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/2740-14-0x00000000746C0000-0x0000000074E70000-memory.dmp

Filesize
7.7MB

Download
memory/2740-9-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/2740-10-0x0000000000D10000-0x0000000000D46000-memory.dmp

Filesize
216KB

Download
memory/2740-11-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-4-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-0-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-1-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-15-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-2-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-3-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download
memory/5068-63-0x00000000007E0000-0x0000000000B19000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing