Overview

overview

10

Static

static

3

External.exe

windows10-1703-x64

10

External.exe

windows7-x64

10

External.exe

windows10-2004-x64

10

External.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    External.exe

  • Size

    4.1MB

  • MD5

    7b9641ed9ec61b9373a59bf5a2f03d72

  • SHA1

    68b9c7560f8c2a907fb7b917fce027a206084550

  • SHA256

    a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536

  • SHA512

    74cbae4d841f5749013b01324e3ccc2920686de5da3107e2c42604afafcd038acfb53837b0433d2f160201d68910a103f6abe6dfe5d21becf3fcd594734dc59e

  • SSDEEP

    98304:DjQw068KkM3pcPuOI66CF+EVeeVlRi0Du4Cs:1kY6Pbpt+ETlRDu4Cs

Score
10/10
sharpstealercredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

sharpstealer

C2

https://api.telegram.org/bot7401113895:AAFvlwi14CnG7Kh8lb6sl-p8Z2vBNorD6Pw/sendMessage?chat_id=1171093658

Attributes
  • max_exfil_filesize

    1.5e+06

  • proxy_port

    168.235.103.57:3128

  • vime_world

    false

aes.plain

Signatures

  • Sharp Stealer

    Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.

    stealersharpstealer
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\External.exe
    "C:\Users\Admin\AppData\Local\Temp\External.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2432 -s 1496
        3⤵
          PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
      Filesize

      695KB

      MD5

      195ffb7167db3219b217c4fd439eedd6

      SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

      SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

      SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

      Download Submit

    • \Users\Admin\AppData\Local\Temp\windows.exe
      Filesize

      396KB

      MD5

      cfcf2df87dd10edff1e1b2be2e811236

      SHA1

      82ffe1f1b75efdd5215d7cbefb116f778e0f3864

      SHA256

      e49bf534ec416f57a546fc1cb0600ec1a441fba576fd1c6212d38090e5dacbe8

      SHA512

      e5807f901b884c71668deaebc042f1a9bd4335aa3e41258023a8d9e8d5559be454dfa6f1b71afef1d9bfc1c8e8f27628dc9375ec29559377566c845f6bfea2f8

      Download Submit

    • memory/2432-15-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-16-0x0000000000190000-0x00000000001FA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/2432-23-0x000000001B890000-0x000000001B942000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2432-45-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

      Filesize

      4KB

      Download