hackbrowserdata | 33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a

General

Target

2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
Size

14.0MB
MD5

fc98f5d0bc1552483a44c85d53384a6e
SHA1

d696097fec437d4f31739d1460b180e67795b9d6
SHA256

33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a
SHA512

5b3f9769de97b61568611ed852efcdcb52d9d2371026dc434aeab2f42197cc6a876a24c1132ec0861bd6895c7c9ca164370da9ae63009bd4432ef8ed9dddefa4
SSDEEP

393216:IxhOGfw/zTNVC2bH2McKpqeTP91UIU537BEBE/P:aIoszT7C2KMzg537iBEH

Score

10^/10

hackbrowserdata discovery execution infostealer spyware stealer

Malware Config

Signatures

An open source browser data exporter written in golang. 2 IoCs

resource	yara_rule
behavioral1/files/0x0004000000019586-154.dat	family_hackbrowserdata
behavioral1/memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp	family_hackbrowserdata

HackBrowserData
An open source golang web browser extractor.
infostealer hackbrowserdata

Executes dropped EXE 1 IoCs

pid	Process
1496	hack-browser-data.exe

Loads dropped DLL 2 IoCs

pid	Process
1056	cmd.exe
1056	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
464	timeout.exe
2648	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	powershell.exe
2892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2364	2260	2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe	30
PID 2260 wrote to memory of 2364	2260	2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe	30
PID 2260 wrote to memory of 2364	2260	2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe	30
PID 2364 wrote to memory of 2264	2364	WScript.exe	31
PID 2364 wrote to memory of 2264	2364	WScript.exe	31
PID 2364 wrote to memory of 2264	2364	WScript.exe	31
PID 2264 wrote to memory of 1056	2264	cmd.exe	33
PID 2264 wrote to memory of 1056	2264	cmd.exe	33
PID 2264 wrote to memory of 1056	2264	cmd.exe	33
PID 1056 wrote to memory of 1496	1056	cmd.exe	34
PID 1056 wrote to memory of 1496	1056	cmd.exe	34
PID 1056 wrote to memory of 1496	1056	cmd.exe	34
PID 2264 wrote to memory of 464	2264	cmd.exe	36
PID 2264 wrote to memory of 464	2264	cmd.exe	36
PID 2264 wrote to memory of 464	2264	cmd.exe	36
PID 2264 wrote to memory of 1852	2264	cmd.exe	37
PID 2264 wrote to memory of 1852	2264	cmd.exe	37
PID 2264 wrote to memory of 1852	2264	cmd.exe	37
PID 2264 wrote to memory of 2892	2264	cmd.exe	38
PID 2264 wrote to memory of 2892	2264	cmd.exe	38
PID 2264 wrote to memory of 2892	2264	cmd.exe	38
PID 2264 wrote to memory of 2648	2264	cmd.exe	39
PID 2264 wrote to memory of 2648	2264	cmd.exe	39
PID 2264 wrote to memory of 2648	2264	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\system32\cmd.exe
      cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
        
        .\toboot\hack-browser-data.exe -f json --dir res --zip
        5⤵
        Executes dropped EXE
        
        PID:1496
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -file "HBDSend.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

1

T1217

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD

Filesize
206B

MD5
161010715d0c362173bf20c28c2fd9b7

SHA1
f80849d90d3a9843a658e5560f000f97fc4d8d01

SHA256
de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7

SHA512
c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1

Filesize
390B

MD5
4802a57c6fccba23e67bc66c31356d4f

SHA1
fc030aa0f325b17643f58c2659c0742890d9f3d7

SHA256
5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35

SHA512
9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chromiumKey

Filesize
333KB

MD5
068616c682ecf110e197df944c8e91a5

SHA1
34e6742941f8c169e0748d24a1b250bdaebc8fe3

SHA256
c26e61d6f32eba06f51d8bf7dc51fa8b5092d95141696e0d38909ae611675cc0

SHA512
7b352babd9abd73c7b9857b08a245d4971cda801e6fb0e215cb5f1b588a42573faf526bfa750a18430c329bc517d61c0deec42ff0dd88022b32bd6b20cd3a30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ha.bat

Filesize
338B

MD5
fddf7e3115d866f57c8ee7c39faba7c7

SHA1
380fd6c70888e59b3e6422b482bd993a1c6f4092

SHA256
58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd

SHA512
3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs

Filesize
51B

MD5
8cb717954c207bc5d1866f0b91f3705b

SHA1
bb2eb348bbaae1c03f0e8a69fe632acf3654906d

SHA256
5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125

SHA512
28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f43d80a30a7b0b576b1a75b79451ba6d

SHA1
2bdc955a39946779f0c40e1c86d7416565f0f3a6

SHA256
97081cd1ff330ea118f919e4a6fa81ff8cf82ea1d0ec69ee8c0928a3702210b8

SHA512
3ca728b8047fad191cb126c8249200ac9c92299675d2d5c04f5754baf56b41e332bbfb751062f45e8d882bbee9451d4d84ecd73fcc5e5346ad235d5178968484

Download Submit
\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

Filesize
20.9MB

MD5
6c66514d0e3b4cf5a2e4c2844efcb1f3

SHA1
682d46485ce44e719309f80483221d82011c3779

SHA256
7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8

SHA512
4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5

Download Submit
memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp

Filesize
20.6MB

Download
memory/1852-221-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/1852-222-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2892-228-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-229-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing