65a97c4b278cd1d973f51446bbba99db03628672cc070a4774a7037e8e1e4d28

General

Target

d2179c32e1d00f92ad9b741639a48ab0N.exe
Size

1004KB
MD5

d2179c32e1d00f92ad9b741639a48ab0
SHA1

1a1e7e4ac740eac96ab49005d889ecbf77968ed0
SHA256

65a97c4b278cd1d973f51446bbba99db03628672cc070a4774a7037e8e1e4d28
SHA512

53615fe4dbb50ca37212e8dd1b7087fb2914a0a034dfbbb1f8894d8c0c80990ccb53a2c0f1b8c53ed893017aebfda981532f84a5752f3ad8b88b40e92caab2e8
SSDEEP

12288:NKE6zhdvk77mVTfHdQrkmSixJvxCKaI4/eiJUIVjrirGWy8Gc7MKgbg0DysOXlfF:mRWx6eKtL0ZJ3I5r

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	XrT.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2179c32e1d00f92ad9b741639a48ab0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 4564 wrote to memory of 936	4564	d2179c32e1d00f92ad9b741639a48ab0N.exe	85
PID 936 wrote to memory of 1380	936	vbc.exe	87
PID 936 wrote to memory of 1380	936	vbc.exe	87

C:\Users\Admin\AppData\Local\Temp\d2179c32e1d00f92ad9b741639a48ab0N.exe
"C:\Users\Admin\AppData\Local\Temp\d2179c32e1d00f92ad9b741639a48ab0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Roaming\XrT.exe
    "C:\Users\Admin\AppData\Roaming\XrT.exe"
    3⤵
    - Executes dropped EXE
    PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XrT.exe

Filesize
26KB

MD5
cf97bf5424f1bdd50c372fc02e8c8b32

SHA1
4583a32b8329a382c7fa4ff183eb9433af86720c

SHA256
7d4ed67e6745d721079497e28a6fab2d3ed1d0d49966fbcf1493beb3e3814c19

SHA512
e572718f9fb4828b8e8f6ca8d1b5a8cf6f2dced40b23d56da9b5bc2b197a497cf306aff4f20726e8141e88071cdf5e6306be4465bc86dbb13361da39aede8f25

Download Submit
memory/936-4-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/936-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/936-6-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/936-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1380-26-0x000000001B140000-0x000000001B1E6000-memory.dmp

Filesize
664KB

Download
memory/1380-27-0x00007FF96DCA0000-0x00007FF96E641000-memory.dmp

Filesize
9.6MB

Download
memory/1380-35-0x00007FF96DCA0000-0x00007FF96E641000-memory.dmp

Filesize
9.6MB

Download
memory/1380-34-0x00007FF96DF55000-0x00007FF96DF56000-memory.dmp

Filesize
4KB

Download
memory/1380-25-0x00007FF96DF55000-0x00007FF96DF56000-memory.dmp

Filesize
4KB

Download
memory/1380-33-0x00007FF96DCA0000-0x00007FF96E641000-memory.dmp

Filesize
9.6MB

Download
memory/1380-28-0x000000001B770000-0x000000001BC3E000-memory.dmp

Filesize
4.8MB

Download
memory/1380-32-0x000000001BDE0000-0x000000001BE2C000-memory.dmp

Filesize
304KB

Download
memory/1380-29-0x00007FF96DCA0000-0x00007FF96E641000-memory.dmp

Filesize
9.6MB

Download
memory/1380-30-0x000000001BCE0000-0x000000001BD7C000-memory.dmp

Filesize
624KB

Download
memory/1380-31-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/4564-9-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4564-0-0x00000000748C2000-0x00000000748C3000-memory.dmp

Filesize
4KB

Download
memory/4564-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4564-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing