e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8

General

Target

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
Size

2.6MB
MD5

04d00238e2600955040c93db00a46adb
SHA1

f4335ddedf234a652e8cab234384e622da9d7cd7
SHA256

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8
SHA512

a0b5dd9557e893163c4e0aab89be92a33479db4333356bc54a2070bb69bdd0f3e8e61f3dbf3d2ab2513b610f815c2d4851101b42ba9fc547c26717e86b0e0325
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBkB/bSqP:sxX7QnxrloE5dpUp7bVP

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

Executes dropped EXE 2 IoCs

Processes:

ecdevopti.exedevbodec.exe

pid process

2548 ecdevopti.exe
588 devbodec.exe

pid	process
2548	ecdevopti.exe
588	devbodec.exe

Loads dropped DLL 2 IoCs

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

pid	process
516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH6\\devbodec.exe"	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax44\\dobasys.exe"	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exeecdevopti.exedevbodec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdevopti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exeecdevopti.exedevbodec.exe

pid	process
516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe
2548	ecdevopti.exe
588	devbodec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe

description	pid	process	target process
PID 516 wrote to memory of 2548	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	ecdevopti.exe
PID 516 wrote to memory of 2548	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	ecdevopti.exe
PID 516 wrote to memory of 2548	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	ecdevopti.exe
PID 516 wrote to memory of 2548	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	ecdevopti.exe
PID 516 wrote to memory of 588	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	devbodec.exe
PID 516 wrote to memory of 588	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	devbodec.exe
PID 516 wrote to memory of 588	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	devbodec.exe
PID 516 wrote to memory of 588	516	e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe	devbodec.exe

C:\Users\Admin\AppData\Local\Temp\e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe
"C:\Users\Admin\AppData\Local\Temp\e8b3f4dddc7b43ee254b3567a60c0a0077fbb31acdd78888a44365fc1deeb2f8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\IntelprocH6\devbodec.exe
  C:\IntelprocH6\devbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax44\dobasys.exe

Filesize
2.6MB

MD5
b1e4bdcf12e8a0e0cfe6e9b6131962ea

SHA1
3caaf6bfff280829d555af8c6b97b92472f92f1a

SHA256
bb0988eea6df295d6e348f8e94db4e22db86fe9bc7eb5dfed922bed85b883733

SHA512
4541bc044038f9db673c58ecca059eaf304f929bebec0cb85f77b9322e6ca966c7f6b932ab5417b37cac33a541569843a51acc03fe54861101fd008b5a615be8

Download Submit
C:\Galax44\dobasys.exe

Filesize
2.6MB

MD5
8f90a577c4f39b81f625d2ccd4bd0990

SHA1
2a82280b4825a2c7db8d23ad1d5155f83e2647c6

SHA256
56153f763ad4e2d55bef8e6225ec4037ee1fcc60703eb0ef6a060eb9b98ba3ed

SHA512
94f82b55c979f5b33196950d3b849d6e84475c5910a2202e5d0ba0465c7e46ed77b4685a573cb5b285116be1b824370cbe42d65675bfed214e043133be1b0866

Download Submit
C:\IntelprocH6\devbodec.exe

Filesize
2.6MB

MD5
cf36fda8f13b0fe82bc9853c10883436

SHA1
3fa96df90d7348614aea421d21850f66e148a400

SHA256
8b1c803bda0446cdace2cfc8a4ce96fa76455ce4290c7d341be158e74d40f171

SHA512
005a38ecaba8e62ab8a6f2c760dbd1d821c39f194aa176520898d2a52ab81dfca790d307231d6a2a113e58d93e01ca6135ed0926b66f2b45838d05859efaf742

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
176B

MD5
4a9414e9dec6f12b348cf9062ae49ad7

SHA1
bc527c74fb7dec10578a8741878e5f98682e5946

SHA256
41efe62795ec41dd8d5d1089412005a40eadeeb9e42dccb4b0e931a8311be74d

SHA512
eda46eec70e70242236af164d45519eb84139434d93d6ae19fcb7a7ab4c835aee3a9168b3a69702a4a9b628e589d703b6eacaee0e4a1f943e714f6b62b375559

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
faef3bb3bfeca92793e3a986fcacd3b1

SHA1
00458af84b610a04dc67ad35947dabc8482d5c6a

SHA256
1a4f1a3c3b3537b767c8c212071f3ab66f07d2d6d718353f68e62c59f3d51cc9

SHA512
4d9df44731d30b47e22fb6f105271fc5788a18230c2a6c4c5e91f62570f224b8660e1ed73633eabece2ad60ce5a79665ef05cd4f5b8d8fde2efd6d68b8fb170d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

Filesize
2.6MB

MD5
227775b4dd2f90f738567b757079b852

SHA1
a9c1e83f5ac63a284ba7ead87b600815b51638d5

SHA256
eaf716964f61c35d3af18b202f9f755deadbd50070ccf1c1a7b03cbb2555563e

SHA512
bda83eb740b4372f4e1184e61f66d9d19e1330b57259eb0105f60197c07b2fea3b9572ddcc8272e15a0313f2cac1034e7a91fd3ac8eb50dfad8e33775c847220

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads