Malware Analysis Report

2025-01-22 08:47

Sample ID 241027-smpjvawqhy
Target updated traced_04202236.exe
SHA256 61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42
Tags
discovery spyware stealer
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42

Threat Level: Likely benign

The file updated traced_04202236.exe was found to be: Likely benign.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 15:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 15:14

Reported

2024-10-27 15:15

Platform

win11-20241007-en

Max time kernel

21s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\OperaGX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe

"C:\Users\Admin\AppData\Local\Temp\updated traced_04202236.exe"

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\a0b08de9cb664002bab05b2e60b678e1 /t 2156 /p 868

C:\Users\Admin\AppData\Local\OperaGX.exe

C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe --silent --allusers=0 --server-tracking-blob=OWUyZjE4ZGIxNjlkODdiYjc1MDQ2OWRhODNiY2U4ODc0YTBmMzJkMWMyM2RhZDAxOWI2YzIwZDRhMDVmZDEzMDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYV9neCIsInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD0yMjRmYzZjODI1NmE0ZGEzYjlkNzU2MTZhNDNmNzcyOSZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInRpbWVzdGFtcCI6IjE3MzAwNDIxMDAuNzcyNSIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDcuMDsgV2luZG93cyBOVCA2LjI7IFdPVzY0OyBUcmlkZW50LzcuMDsgLk5FVDQuMEM7IC5ORVQ0LjBFOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgLk5FVCBDTFIgMy41LjMwNzI5KSIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9HQl9QQjVfMzU3NSIsImNvbnRlbnQiOiIzNTc1X0ZpbGVETSIsImlkIjoiMjI0ZmM2YzgyNTZhNGRhM2I5ZDc1NjE2YTQzZjc3MjkiLCJtZWRpdW0iOiJwYSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiIwMDc5YWIxZi01MTY0LTQ1NGYtYTgxNi03MDAwMTA2Y2ZlOWEifQ==

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x330,0x334,0x338,0x30c,0x33c,0x70c48c5c,0x70c48c68,0x70c48c74

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1308 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20241027151516" --session-guid=beaeb32f-897a-4c20-b350-487507d3da4c --server-tracking-blob=YzU2YTc4ZjVhZjg3Mzc4MWNmZWZhZDI3MjlhM2NhOTZhN2Q5MDc0M2RjOWM2ZjM2OTAzMTg3MGMwNjA3MzAzOTp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD0yMjRmYzZjODI1NmE0ZGEzYjlkNzU2MTZhNDNmNzcyOSZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMDA0MjEwMC43NzI1IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiIyMjRmYzZjODI1NmE0ZGEzYjlkNzU2MTZhNDNmNzcyOSIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjAwNzlhYjFmLTUxNjQtNDU0Zi1hODE2LTcwMDAxMDZjZmU5YSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=114.0.5282.123 --initial-client-data=0x328,0x32c,0x33c,0x304,0x340,0x6ff08c5c,0x6ff08c68,0x6ff08c74

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 70.60.190.35.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 142.250.180.3:80 o.pki.goog tcp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 104.21.60.113:443 filedm.com tcp
NL 18.238.243.102:443 dpd.securestudies.com tcp
US 165.193.78.234:80 post.securestudies.com tcp
US 172.67.174.4:443 www.ovardu.com tcp
US 165.193.78.234:80 post.securestudies.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
NL 18.238.246.206:80 ocsp.r2m02.amazontrust.com tcp
US 165.193.78.234:443 post.securestudies.com tcp
NL 185.26.182.123:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 104.18.25.17:443 api.config.opr.gg tcp
NL 82.145.216.23:443 download.opera.com tcp

Files

C:\Users\Admin\AppData\Local\OperaGX.exe

MD5 af793d005904f542c8ca8854483357a4
SHA1 7de3c62db3cd1e65cf1213e531680b7fdfa9b625
SHA256 6e245bafdb5a712d06f49598246a17a887952a50e50c83725f8ece058290525f
SHA512 3c6eb3196b0e7b7dfcf98a26f4d582d9c6dbaf3c4f8a0893ebb6af65c07e8df633b852ca16ada9c73e3ed254f3183a4c921365de25ed09cd7f813ef3ce8ae07e

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

MD5 a910474aad1eea96921d359e1763d2fd
SHA1 8f663c05861ce93a1418607bd208c21dc7263237
SHA256 5354a7fa4ef330546d79e1ea02c456084400d0b47d52aaa43b088340981f461e
SHA512 8654f3c5eb98dd4097ed5367771f2f3487a4c90f95754ca39b8900ab52c2c78ab6f90da339c1cce06364ca242d49901a7ebbac92cf14955e3a267ea988c194e4

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410271515151681308.dll

MD5 94a99783bf5a9aeb8a0c8adcbb144ac8
SHA1 f5682606d1a3774a44d58a42391533899578897b
SHA256 5d8acd8032a3f3147b50e88dd1141312f9232f46ee0cb9487efae3c23545a0e9
SHA512 f545d11b103b79a00f8118000a447b26f76520f9ae4c4e78542237eb11b931b98900f62065ae3fbff747a79d6954d15a7ccb123b2adcfc81df71c17a6cf840a2

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

MD5 4894ca49405b52a5a723613b4040bf1d
SHA1 857826d435ac1ca06b6c0788497c10deb6745924
SHA256 65aaf48dcb846b74335b422484c993cf245a15418b01999b3cdec7fba64c0fb5
SHA512 1b4f9d18462c3445d0e01fd7f94dc84f47b030b1ec1db13d7679cc9ab47c61d3021ee53415f07efc24395e16da9c7324b651b33f56df989b6d36f400c8eee02f

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

MD5 01ea233245aaf9d7a5d46f27fe44e4b6
SHA1 8b5da075efd12aee93b7f85f1c98e6264a29c9d0
SHA256 4c2a1ed1741e33b6cc5a4205a75e5e8597067a35f19ffdfa048eeb68835ee869
SHA512 5bf4ea8f61e31d6dc77e11e50016508e1d33b0f9eba9739ad89e59be9ba0a8fc6f99ed05e0b84e4f8963175ab37f2b13fd71a6776b465adc38a033f0bc2003a4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe

MD5 0f9a2670195657aeed7ad21d47924d66
SHA1 dc26c699f88780bc1261e14553a517bcc31e00cf
SHA256 c767730c983610c53f272ccd1ca5b520e3f46834fd9827b4597786a8fb1abeeb
SHA512 72d6f13907007c961d969354faef78802cf48f6e562201e4d59ec8a791a2f95995b2843dfea99853d41008065ba73d01319fea6a19e566c96fe297d5a0f13741

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410271515162313664.dll

MD5 faf6b22a05ec00349b7c31a6bbe26215
SHA1 ed115fc7e9d1620181076a0c1d28d9fb62cf27e2
SHA256 6b2f04dea184d32523edd25e0efb31a545bfc8d802aa6496f37c60730692da46
SHA512 ab3c41c5e546fc22fe3052b7748dd3832ae2b180b049585a16e885a6d35d27d36639ba61804fc4ed9273153d6230e0538114646760ecbe13c4ff5fa730fad37d

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

MD5 923892af78d2f9d4459a694cfa7baf39
SHA1 bf22062cf05d1e836739b9848d83069691783232
SHA256 b1a12d9539c3afb5e88004ec65960ee47ad5254cf36a014b0fdf5067bd0e3fca
SHA512 919b25b355d9b4b266f4979229bc4e54e546dcc3f885f89302efbb5e0d59dbc536e5d3893e7609a8f5acac9c05991e283dceff347dc3e941a0787952937bef90

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410271515164503704.dll

MD5 545dd3eace94b42a33b534972f1b4671
SHA1 9db36be82bb01a920f80642481ba8da9a8469a63
SHA256 6ab99c353d5b6204293d1af6a064d7bd144c46ef92457b0f5826980f7cc1ec75
SHA512 cc4a963e944f79f8f8560b194ac307235ac8b527a52dcdf2d5de6e96f34727c72883d6c972d54ed33d5b3366dc0165029de0c9018586cb702dd5b792c1aaf9ef

C:\Users\Admin\AppData\Local\Temp\7zS82CE5687\setup.exe

MD5 ba186a49895986c50dee70c426115792
SHA1 c34e764e98c1bcb4948e11fc5d6fee361117645a
SHA256 45a139a9921abffbad2a319533bf38cc515b83529cc815cfff6ac769d453ed15
SHA512 231507090d877593826f0f634c3b6b9b9720663e179a7f0c0a6620bcd0e96049419b61531665ca677f3e501effcdb8f657dde3952568617e7de543086464071f

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2410271515165593896.dll

MD5 631d62d1c5b69c7c62996e2792befbe4
SHA1 76af5911007b9ce1c8bd1e84870a1451514c8210
SHA256 8aba6151eda94f2739e74336037297a0c2a0c65264b79cb9967d4a94c1241b68
SHA512 623f869b8efa1b816b5f5c2babfc0a6a6fe68c19b9dff3480e0d1c35aa1fc740c510aeb2b302750cd71dc73eb96249285654a603f7e19962173429ed6848e0f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 0ca56c1a90109d7be10406d405e46a9d
SHA1 126f75b08fee4bafc68be9d69964a8161f475fb9
SHA256 e3d6daf74c5de32dc2b98c72e1ed0071a820f79dae64d77549d2a47382aaceb1
SHA512 17c2c7adc0c0cb609b44e79b71803a6715e93f755ddd2c37b7bd741cc38ec490a30c4d2da576a5fb1e22aae358e61bb2f7a99ce5cc2a81764920c202f1bea98d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 e6b2f7447d3c38eb61ea1b3990b32291
SHA1 2a55133e1ae7f6e9a1f90bfe82a8bc255e8f612f
SHA256 c46e2c4766f22df446854be57a0407b09953eae190cc25cc106ac985002f0852
SHA512 8c43f6b923eb8b9a9b88b8d5f395df6062fccff420b78e10eec5eacee06362859c96169d3ddf2f167c9a8f77e6850f682e60fe42f8cc35016795aef45be68e4d