Overview

overview

7

Static

static

3

Stremio+4.4.168.exe

windows7-x64

7

Stremio+4.4.168.exe

windows10-2004-x64

7

QtQuick/Co...in.dll

windows7-x64

3

QtQuick/Co...in.dll

windows10-2004-x64

3

QtQuick/Co...in.dll

windows7-x64

3

QtQuick/Co...in.dll

windows10-2004-x64

3

QtQuick/Co...in.dll

windows7-x64

3

QtQuick/Co...in.dll

windows10-2004-x64

3

QtQuick/Co...dar.js

windows7-x64

3

QtQuick/Co...dar.js

windows10-2004-x64

3

QtQuick/Co...Box.js

windows7-x64

3

QtQuick/Co...Box.js

windows10-2004-x64

3

QtQuick/Co...enu.js

windows7-x64

3

QtQuick/Co...enu.js

windows10-2004-x64

3

QtQuick/Co...Bar.js

windows7-x64

3

QtQuick/Co...Bar.js

windows10-2004-x64

3

QtQuick/Co...iew.js

windows7-x64

3

QtQuick/Co...iew.js

windows10-2004-x64

3

QtQuick/Co...del.js

windows7-x64

3

QtQuick/Co...del.js

windows10-2004-x64

3

QtQuick/Co...ils.js

windows7-x64

3

QtQuick/Co...ils.js

windows10-2004-x64

3

QtQuick/Co...ent.js

windows7-x64

3

QtQuick/Co...ent.js

windows10-2004-x64

3

QtQuick/Co...tem.js

windows7-x64

3

QtQuick/Co...tem.js

windows10-2004-x64

3

QtQuick/Co...nu.vbs

windows7-x64

1

QtQuick/Co...nu.vbs

windows10-2004-x64

1

QtQuick/Co...se.vbs

windows7-x64

1

QtQuick/Co...se.vbs

windows10-2004-x64

1

QtQuick/Co...low.js

windows7-x64

3

QtQuick/Co...low.js

windows10-2004-x64

3

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stremio+4.4.168.exe

  • Size

    112.9MB

  • MD5

    763b10b7a9293ccc9307b650a01db702

  • SHA1

    b033764307a4df6cc81c654467630f2df67297ef

  • SHA256

    44ecc6a7624b2fdf03cb9b419f111892515fb036fe23f88e51456dce69066046

  • SHA512

    f6f8d0a78cfaa2c440567fc0e636ab6129c495991f679c93ae0b7e211d9e290e7d4628891fef35f0383662bc2237e21410dd849f1d6074a8994dfd8deeee5e0c

  • SSDEEP

    3145728:XddpqKUfzM8/I/6Uj2jDxXz8sGd1TiDlSugSbc+cYOsNCO1JTN:tdoK18wiucDZxG7TOlS/SI+JNCO19N

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe
    "C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe
      "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
        "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=Stremio --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=1644 /prefetch:8
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1196
      • C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
        "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=renderer --autoplay-policy=no-user-gesture-required --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1736 /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Local Storage\leveldb\CURRENT
    Filesize

    16B

    MD5

    46295cac801e5d4857d09837238a6394

    SHA1

    44e0fa1b517dbf802b18faf0785eeea6ac51594b

    SHA256

    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

    SHA512

    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    Download Submit

  • C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Service Worker\Database\MANIFEST-000001
    Filesize

    41B

    MD5

    5af87dfd673ba2115e2fcf5cfdb727ab

    SHA1

    d5b5bbf396dc291274584ef71f444f420b6056f1

    SHA256

    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

    SHA512

    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsdC478.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    6c3f8c94d0727894d706940a8a980543

    SHA1

    0d1bcad901be377f38d579aafc0c41c0ef8dcefd

    SHA256

    56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

    SHA512

    2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsdC478.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

    Download Submit

  • \Users\Admin\AppData\Local\Programs\LNV\Stremio-4\Uninstall.exe
    Filesize

    173KB

    MD5

    f43d4bfd5752bb43724abb81bb556976

    SHA1

    6c6cbd3c00b808f38cac1d76749a8a43fdcc11ff

    SHA256

    8a88898e43a6bf6a595b5cc47886ca8578c659c2dfc0d99dc7f37cb7cda9b90c

    SHA512

    497f65f7572cdb489508367ee41614933b1718344b54c4729afa2647f4de53e2ac9ad816bfe70fab48751176f6ebfef680500f03154a7bcde7edbb8e3ac83cb4

    Download Submit

  • \Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe
    Filesize

    300KB

    MD5

    c0fbaeea5372c54a2f39716fcbc6afec

    SHA1

    e54790d82d0abdc75607fa0384bb886fc9b8027b

    SHA256

    cc7b6317d48368cb5791a1e95de5306b6152777b09758d14666d82f4b315dabd

    SHA512

    002aa47f5223eb113d3b2bfe1c88eb0ba588b1fc79465340b06c69dde1b897fef73c1f2540712ff22a658a6fe7b8bca4d2b6d4ec9c3d643838ff70275ebd8816

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsdC478.tmp\System.dll
    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    Download Submit

  • memory/1612-4979-0x0000000004030000-0x0000000004230000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1612-4978-0x0000000003BF0000-0x0000000004030000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1612-4991-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4990-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4989-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4988-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4987-0x0000000002D70000-0x0000000002D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4992-0x000000006F050000-0x0000000073C1A000-memory.dmp

    Filesize

    75.8MB

    Download

  • memory/1612-4994-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4995-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4996-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5012-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5011-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5010-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5008-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5007-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5006-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5005-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5004-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5003-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5002-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5001-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5000-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4999-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4998-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-4997-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5045-0x0000000004D00000-0x0000000004D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5044-0x0000000004D00000-0x0000000004D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5043-0x0000000004D00000-0x0000000004D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5042-0x0000000004D00000-0x0000000004D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5040-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5039-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5038-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5037-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5036-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5035-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5034-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5033-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5032-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5031-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5030-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5029-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5027-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5026-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5025-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5024-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5023-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5022-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5021-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5020-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5019-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5018-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5017-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5016-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5015-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5014-0x0000000004B00000-0x0000000004B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5046-0x0000000004D00000-0x0000000004D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5013-0x00000000046C0000-0x00000000046C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1612-5167-0x00000000054E0000-0x00000000054EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1612-5166-0x00000000054E0000-0x00000000054EA000-memory.dmp

    Filesize

    40KB

    Download