78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4

General

Target

78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe
Size

7.6MB
MD5

0be4a2592f848a5781a73ee60fa20ba6
SHA1

85bf09a2f02d66e8aa03147c90f7edd404c8a6aa
SHA256

78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4
SHA512

84b138f38e92a6ca5614a706dc8788ba218d7f4e0dde691dab18f1b9256def36475181f456435499a183336f5a385641d7d0b7401c22d42fe6ee5116796f0530
SSDEEP

98304:K0XCXkHTfN9Z+1jjw+giUMZCq6bFREzaOHSWLu4F:K0XCXkHTfN9QgirZC5YS

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io
11	api.myip.com
12	api.myip.com
3	api64.ipify.org
4	api64.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30
PID 2148 wrote to memory of 2436	2148	78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe	30

C:\Users\Admin\AppData\Local\Temp\78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe
"C:\Users\Admin\AppData\Local\Temp\78023bdaf9f185ff21ad64a6af645fe56a0935c801f85731b8c3a85248e71bd4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\iofolko5\0My2BK3UmOhpO5reQvR_FrAA.exe

Filesize
1.7MB

MD5
65bc56f91ff58c7c3846d3dee31effb5

SHA1
6d8ea2e7a4bf111c6aca9733d031d6f6aad813be

SHA256
4f713a5c8c50737939c18aa6cf6d557e309abd14a461d0189c4413ece7d06e96

SHA512
268cd7564c1d4b4edfa65433611b2f05c377eb8ecfbc71904dc9afeda8581c22a4da8249715a26a19ba66669b5e758d116a3006786d347ef67bd49f922788943

Download Submit
C:\Users\Admin\Documents\iofolko5\11psWPLj6abQ7uDt7xo8wEj9.exe

Filesize
6.4MB

MD5
00e250e5fdcf6ed6246903accff01130

SHA1
ba0cda9d84ddcd79d02bb6d88aaf323feebd05f2

SHA256
9df8349c91ff8bdee71cf3e257a0d2f6bab02dffcb92d16de350b9bc2cdef4f7

SHA512
1b058ab492e69e614f08baa55d0000014ee9cd9ea7f46bf23ebb4d8b25012c38d3ffb914a3b79a819e429d27f0187ea2171f533e16eadf3dba9e069e40e4adbe

Download Submit
C:\Users\Admin\Documents\iofolko5\Gd2hXu7wV3e9gu8iVvUay2aA.exe

Filesize
313KB

MD5
a36dc92515ad9a1efd791c57e6b8825b

SHA1
787767c3c8717c4f165adc1b20acc9a8352bab06

SHA256
e3b5a04c8bc029a519b7edb6f32ef05b48e83f8ba5d78957aaff4900c1abbbad

SHA512
74401be47fc01142abd227bc1383958be499dabefff142be673d2b340e17e8944f4ee9d82f07d2380532f7f45eaa1dce2f73b482b17d39da19f9da5d1db0421f

Download Submit
C:\Users\Admin\Documents\iofolko5\bRU33sdZ52UVS8xh1fSy3eZj.exe

Filesize
2.7MB

MD5
599395d27217b0b159527ff55ac5bf1e

SHA1
1247c975a6f556c19a01ecc284de42e120ab27f5

SHA256
acee75e211131a2a19d21e3a7b6d228cab0c52166fd57916699392f8ee5c72ff

SHA512
22db00d0222082e8d37dcda04b45eb9d5ef9c5c73b829c6bc7c387edf92719a88cdce7833c2db122a14be3114cf419e69ab1239c261e8755f4d37c08d03ab575

Download Submit
C:\Users\Admin\Documents\iofolko5\hUf5Ugnzdn2h2oQQYtn7otQ6.exe

Filesize
995KB

MD5
969c9a7bc2e46a078fac7c27ad79fc56

SHA1
4047fed227464f275c40b44a1adb49bbb6072b88

SHA256
891306bc14e8d196e6f229dfe9d713bb1e81af30efe5ea786672648cbe6fd032

SHA512
0285f94d1de7e194d18f53eb1b3ad669fafa0a5dee45e7eab9ebd1e807e65ded235d360969225d0c1a54c8cf97b2da6ad14676320aa621845e28d9a38120ddbb

Download Submit
C:\Users\Admin\Documents\iofolko5\hrzKtJHzIhTAnfI20jjGUlOS.exe

Filesize
10.6MB

MD5
079d166295bafa2ab44902c8bf5ff2a5

SHA1
46e728a035c3fd9618f823a5d0b525a9aa22e1c1

SHA256
dbe5fb6a6d567628f7982723f21869f68508397ee6926116554aef37789014d8

SHA512
949f278bf199553263d7023349b16f6060506e29518886dff77d913df54b951b0c0026667bbd67a9cdc4c44ae7c174d74ddd7d5520df081d91a1296de095151b

Download Submit
C:\Users\Admin\Documents\iofolko5\jQUiN8rlVJbZHt9BMkUiuHPJ.exe

Filesize
342KB

MD5
dc0d22b7133699183da35835f6dc4d1b

SHA1
1d5cc388057254f037c10e3ddab6531f9ea5ffad

SHA256
a21388b8be0612fb9d0274cba67c88df2d604629322fc0968558dfd28be09cd4

SHA512
6135a36911a05654d380e740666dac650ecffd9b47f411012e8e30dfbc954520dbee3e9183984db7f9fc0997785d795305eaf88f5da3116026080fef4c5eee01

Download Submit
C:\Users\Admin\Documents\iofolko5\uRgvDLrdyYumC8EiimtWpkW9.exe

Filesize
6.3MB

MD5
95bb292a795c5c517e405f698fbd3fed

SHA1
f53472ae5a6ef6c84a22ba968ae52b7b8af2c059

SHA256
dbf462d222344d6c78ed9548922560993b9d8bd2a9860b381476310319945d80

SHA512
b745d034ccb7666512ac9605877a2631df804cd96c2c3ba343b293524f6f6ea051e63e72ddf755cb7bb14c2f81b8847b7cd6bfa15fb1d78b1b40705e71ef11c4

Download Submit
memory/2148-1-0x0000000001200000-0x00000000019A0000-memory.dmp

Filesize
7.6MB

Download
memory/2148-18-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2148-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2148-4-0x0000000000570000-0x0000000000592000-memory.dmp

Filesize
136KB

Download
memory/2148-3-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2148-2-0x0000000005970000-0x0000000005C1C000-memory.dmp

Filesize
2.7MB

Download
memory/2436-30-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-19-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-20-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-23-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-29-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-21-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-32-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-31-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-5-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-28-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-27-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-26-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-25-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-24-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-22-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-6-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-36-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-7-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-45-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-46-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-8-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-9-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-10-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-13-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-87-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-88-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-89-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-15-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download
memory/2436-17-0x0000000000400000-0x00000000005E1000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing