43a3b91fc2972f12c00128e620d1ad78e45d5920db829cdbc207713a5e0a62f7

General

Target

Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe
Size

585KB
MD5

ce83ad6b2883a4b70b93e23ed2bb2f2f
SHA1

5a3250089d1d166cf89732fde3fe58ef069bd664
SHA256

43a3b91fc2972f12c00128e620d1ad78e45d5920db829cdbc207713a5e0a62f7
SHA512

5f09de35c1826918c76036fcc2976f8e4fdc02a4bab089db52680fddee826300a6f772b4c7f732f3f79ba3d4fe42c2b6650ceb90bfc1f50366098611685da08a
SSDEEP

12288:vG2tzSMJb9pZ5RgY2yUNK+upN35jGFpVMbonpEPH0zEBQM1SoSbmKZQ:vPxzKtrEPo2QfblQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2680 wrote to memory of 2756	2680	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	30
PID 2756 wrote to memory of 2688	2756	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	31
PID 2756 wrote to memory of 2688	2756	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	31
PID 2756 wrote to memory of 2688	2756	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	31
PID 2756 wrote to memory of 2688	2756	Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe	31

C:\Users\Admin\AppData\Local\Temp\Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.Hooker.ATA_virussign.com_ce83ad6b2883a4b70b93e23ed2bb2f2f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\79.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43489.exe

Filesize
585KB

MD5
ce83ad6b2883a4b70b93e23ed2bb2f2f

SHA1
5a3250089d1d166cf89732fde3fe58ef069bd664

SHA256
43a3b91fc2972f12c00128e620d1ad78e45d5920db829cdbc207713a5e0a62f7

SHA512
5f09de35c1826918c76036fcc2976f8e4fdc02a4bab089db52680fddee826300a6f772b4c7f732f3f79ba3d4fe42c2b6650ceb90bfc1f50366098611685da08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\79.bat

Filesize
174B

MD5
519f09aa8f12ebd434571afd0c49cce6

SHA1
af3cbe80e67b72167e45af0e8575c9e073b5e852

SHA256
8630327cb69015f43701f984895c4d1973f04a08ca4b304cb996330de06f2cb8

SHA512
167a360d625c40c931f0cc8a6eaf07609af9e5ffc448580cb53239d54731b8ce563de2a091764debec13680c1bc397798530ee6799a30030edef0618afac9ccf

Download Submit
memory/2756-6-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-11-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-10-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-9-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-0-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-5-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-2-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-4-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-13-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-12-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-7-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-27-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2756-24-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing