Overview

overview

10

Static

static

3

a67d7bad34...36.exe

windows7-x64

10

a67d7bad34...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536.exe

  • Size

    4.1MB

  • MD5

    7b9641ed9ec61b9373a59bf5a2f03d72

  • SHA1

    68b9c7560f8c2a907fb7b917fce027a206084550

  • SHA256

    a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536

  • SHA512

    74cbae4d841f5749013b01324e3ccc2920686de5da3107e2c42604afafcd038acfb53837b0433d2f160201d68910a103f6abe6dfe5d21becf3fcd594734dc59e

  • SSDEEP

    98304:DjQw068KkM3pcPuOI66CF+EVeeVlRi0Du4Cs:1kY6Pbpt+ETlRDu4Cs

Score
10/10
sharpstealercredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

sharpstealer

C2

https://api.telegram.org/bot7401113895:AAFvlwi14CnG7Kh8lb6sl-p8Z2vBNorD6Pw/sendMessage?chat_id=1171093658

Attributes
  • max_exfil_filesize

    1.5e+06

  • proxy_port

    168.235.103.57:3128

  • vime_world

    false

aes.plain

Signatures

  • Sharp Stealer

    Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.

    stealersharpstealer
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536.exe
    "C:\Users\Admin\AppData\Local\Temp\a67d7bad3484883985727a2dcb0d586104ba10c3eed594a878c2fb1f8db92536.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Users\Admin\AppData\Local\Temp\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3fdfb5c4-c013-43d1-ae47-3b604e2191ad
    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BouncyCastle.Crypto.dll
    Filesize

    3.2MB

    MD5

    0cf454b6ed4d9e46bc40306421e4b800

    SHA1

    9611aa929d35cbd86b87e40b628f60d5177d2411

    SHA256

    e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42

    SHA512

    85262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    695KB

    MD5

    195ffb7167db3219b217c4fd439eedd6

    SHA1

    1e76e6099570ede620b76ed47cf8d03a936d49f8

    SHA256

    e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    SHA512

    56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll
    Filesize

    1.7MB

    MD5

    a73fdfb6815b151848257eca042a42ef

    SHA1

    73f18e6b4d1f638e7ce2a7ad36635018482f2c55

    SHA256

    10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

    SHA512

    111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
    Filesize

    402KB

    MD5

    b0911d27918a1e20088b4e6b6ec29ad3

    SHA1

    93a285c96a4d391ea4fe6655caaa0bbf2ee52683

    SHA256

    24043ef4472d9d035cd1a8294f68d2bbfdf76f5455af80c09c89e64f6ed15917

    SHA512

    518da2e73b849be38570d7db218adeb47f85fde89c15dac577eb1446a9a55bb4cfaf31d371428b9c4f0c69c0be3e2cb10fafcadbec24e8ab793b639392e3f029

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7CF8.tmp.dat
    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7CFF.tmp.dat
    Filesize

    124KB

    MD5

    9618e15b04a4ddb39ed6c496575f6f95

    SHA1

    1c28f8750e5555776b3c80b187c5d15a443a7412

    SHA256

    a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

    SHA512

    f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\windows.exe
    Filesize

    396KB

    MD5

    cfcf2df87dd10edff1e1b2be2e811236

    SHA1

    82ffe1f1b75efdd5215d7cbefb116f778e0f3864

    SHA256

    e49bf534ec416f57a546fc1cb0600ec1a441fba576fd1c6212d38090e5dacbe8

    SHA512

    e5807f901b884c71668deaebc042f1a9bd4335aa3e41258023a8d9e8d5559be454dfa6f1b71afef1d9bfc1c8e8f27628dc9375ec29559377566c845f6bfea2f8

    Download Submit

  • C:\Новая папка\Process.txt
    Filesize

    1KB

    MD5

    6435844be632425f4ae73fb8f88df351

    SHA1

    be8e57f84074baa774284b08c7dc401057576334

    SHA256

    c062b0cb484260c52c47890fd2bb9ee7fb4c9359b21b2071a68700f3361dabea

    SHA512

    9bb89807cd4273ac74b4a983027396375af07026ce2235413c17ee2247253296c4624f1548010ddfac371098fa3be101a00b16077adb9623795a2b94777ef802

    Download Submit

  • memory/3620-86-0x000001EB1BCA0000-0x000001EB1BD06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3620-94-0x000001EB1B6E0000-0x000001EB1B706000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3620-82-0x000001EB1BBE0000-0x000001EB1BC92000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3620-83-0x000001EB1BB20000-0x000001EB1BB70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3620-80-0x000001EB1BAA0000-0x000001EB1BB16000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3620-90-0x000001EB1C9B0000-0x000001EB1CCDE000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3620-22-0x00007FFDF73C0000-0x00007FFDF7E81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-84-0x000001EB1BA20000-0x000001EB1BA42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3620-95-0x00007FFDFE3A0000-0x00007FFDFE3C6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3620-93-0x000001EB1C680000-0x000001EB1C6BA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3620-99-0x000001EB1D8D0000-0x000001EB1DA92000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3620-21-0x000001EB01110000-0x000001EB0117A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/3620-105-0x00007FFDF73C0000-0x00007FFDF7E81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-20-0x00007FFDF73C3000-0x00007FFDF73C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3620-194-0x000001EB1BBC0000-0x000001EB1BBDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3620-196-0x00007FFDF73C0000-0x00007FFDF7E81000-memory.dmp

    Filesize

    10.8MB

    Download