sharpstealer | a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536

Analysis

max time kernel
127s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

External.exe
Size

4.1MB
MD5

7b9641ed9ec61b9373a59bf5a2f03d72
SHA1

68b9c7560f8c2a907fb7b917fce027a206084550
SHA256

a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536
SHA512

74cbae4d841f5749013b01324e3ccc2920686de5da3107e2c42604afafcd038acfb53837b0433d2f160201d68910a103f6abe6dfe5d21becf3fcd594734dc59e
SSDEEP

98304:DjQw068KkM3pcPuOI66CF+EVeeVlRi0Du4Cs:1kY6Pbpt+ETlRDu4Cs

Score

10^/10

sharpstealer credential_access discovery spyware stealer

Malware Config

Extracted

Family

sharpstealer

https://api.telegram.org/bot7401113895:AAFvlwi14CnG7Kh8lb6sl-p8Z2vBNorD6Pw/sendMessage?chat_id=1171093658

Attributes

max_exfil_filesize
1.5e+06
proxy_port
168.235.103.57:3128
vime_world
false

aes.plain

Signatures

Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
stealer sharpstealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	External.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	windows.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	windows.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
9	api.ipify.org
11	freegeoip.app
12	ip-api.com
13	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	External.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	windows.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	windows.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1736	windows.exe
1736	windows.exe
1736	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	windows.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1736	5048	External.exe	92
PID 5048 wrote to memory of 1736	5048	External.exe	92

C:\Users\Admin\AppData\Local\Temp\External.exe
"C:\Users\Admin\AppData\Local\Temp\External.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3664,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23da23d9-8706-4fc3-9807-f42731fb8b82

Filesize
56KB

MD5
7872fbf0a1bb518682babda3d8dc7b4e

SHA1
9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4

SHA256
a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2

SHA512
f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BouncyCastle.Crypto.dll

Filesize
3.2MB

MD5
0cf454b6ed4d9e46bc40306421e4b800

SHA1
9611aa929d35cbd86b87e40b628f60d5177d2411

SHA256
e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

SHA512
85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
402KB

MD5
b0911d27918a1e20088b4e6b6ec29ad3

SHA1
93a285c96a4d391ea4fe6655caaa0bbf2ee52683

SHA256
24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

SHA512
518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D59.tmp.dat

Filesize
232KB

MD5
a929b980471271362afbf37ee6979a2a

SHA1
59d10c4da79fc379ef7c494c1d307afdeeba428b

SHA256
6903dd73800066aa184bd889553b9840e4f1b04a318ec5c045dddeb6647415cd

SHA512
83acfd213741b9d1773db176ea956971d2f03c7c370bd740eb71881acec967eb6855ee9010eae382ef30e5a6ae8df7bd8892032fb232a038378d5e5b41d98af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D5C.tmp.dat

Filesize
192KB

MD5
afa36fe96980a30aafbf14d59841152f

SHA1
3c97dd026fdbaf27c693294c1c3cd45bcd204551

SHA256
5de6eff96c5db617ba9daa9822ec91e87d3b562771557b539376a6ce1c71936c

SHA512
e592edbb241779b15cf1463077419818fd62f34411fa18d776ee5aff001f461b3a00ec90299774ce8eccd340549141b6c3d31ff461e365a38e906584398233dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
396KB

MD5
cfcf2df87dd10edff1e1b2be2e811236

SHA1
82ffe1f1b75efdd5215d7cbefb116f778e0f3864

SHA256
e49bf534ec416f57a546fc1cb0600ec1a441fba576fd1c6212d38090e5dacbe8

SHA512
e5807f901b884c71668deaebc042f1a9bd4335aa3e41258023a8d9e8d5559be454dfa6f1b71afef1d9bfc1c8e8f27628dc9375ec29559377566c845f6bfea2f8

Download Submit
C:\Новая папка\Process.txt

Filesize
1KB

MD5
386b364a18faf6e52c461fb19ee9d08b

SHA1
7cd73ae11f0f2eaeb40597fd516ce8a2b5b57082

SHA256
216d8ce26f40482a395195cc2a8c8ea64d8ed5c2316f52ba857b71de7a375f60

SHA512
ad8a6c2b994298a836c0f36151352cf6c2b2bac05428a6e15dca6b3a915dda6d5147be6394bc71cd0ab8c001a79bdd941ff08413b417451be44a8704d8ec2067

Download Submit
memory/1736-76-0x0000021E3B780000-0x0000021E3B7D0000-memory.dmp

Filesize
320KB

Download
memory/1736-96-0x0000021E3DB70000-0x0000021E3DD32000-memory.dmp

Filesize
1.8MB

Download
memory/1736-79-0x0000021E3B940000-0x0000021E3B9B6000-memory.dmp

Filesize
472KB

Download
memory/1736-81-0x0000021E3B730000-0x0000021E3B752000-memory.dmp

Filesize
136KB

Download
memory/1736-75-0x0000021E3B800000-0x0000021E3B8B2000-memory.dmp

Filesize
712KB

Download
memory/1736-89-0x0000021E3B900000-0x0000021E3B93A000-memory.dmp

Filesize
232KB

Download
memory/1736-91-0x0000021E22BD0000-0x0000021E22BF6000-memory.dmp

Filesize
152KB

Download
memory/1736-22-0x00007FFEBF610000-0x00007FFEC00D1000-memory.dmp

Filesize
10.8MB

Download
memory/1736-92-0x0000021E3D840000-0x0000021E3DB6E000-memory.dmp

Filesize
3.2MB

Download
memory/1736-84-0x0000021E3BAC0000-0x0000021E3BB26000-memory.dmp

Filesize
408KB

Download
memory/1736-21-0x0000021E20DE0000-0x0000021E20E4A000-memory.dmp

Filesize
424KB

Download
memory/1736-103-0x00007FFEBF613000-0x00007FFEBF615000-memory.dmp

Filesize
8KB

Download
memory/1736-104-0x00007FFEBF610000-0x00007FFEC00D1000-memory.dmp

Filesize
10.8MB

Download
memory/1736-106-0x00007FFEBF610000-0x00007FFEC00D1000-memory.dmp

Filesize
10.8MB

Download
memory/1736-20-0x00007FFEBF613000-0x00007FFEBF615000-memory.dmp

Filesize
8KB

Download
memory/1736-205-0x0000021E3B8C0000-0x0000021E3B8DE000-memory.dmp

Filesize
120KB

Download
memory/1736-207-0x00007FFEBF610000-0x00007FFEC00D1000-memory.dmp

Filesize
10.8MB

Download