c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a | Triage

Submit
Reports

Overview

overview

7

Static

static

1

winrar-x64-701.exe

windows10-2004-x64

7

Resubmissions

03-12-2024 16:06

241203-tj58vsxqfp 3

03-12-2024 15:57

241203-tecezsska1 7

Sharing

General

Target

winrar-x64-701.exe
Size

3.8MB
Sample

241203-tecezsska1
MD5

46c17c999744470b689331f41eab7df1
SHA1

b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256

c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512

4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
SSDEEP

98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

Score

7^/10

credential_access discovery persistence privilege_escalation pyinstaller spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

winrar-x64-701.exe

Resource

win10v2004-20241007-en

credential_access discovery persistence privilege_escalation pyinstaller spyware stealer

windows10-2004-x64

31 signatures

150 seconds

Malware Config

Targets

- Target
  
  winrar-x64-701.exe
- Size
  
  3.8MB
- MD5
  
  46c17c999744470b689331f41eab7df1
- SHA1
  
  b8a63127df6a87d333061c622220d6d70ed80f7c
- SHA256
  
  c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
- SHA512
  
  4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
- SSDEEP
  
  98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB
Score

7^/10

credential_access discovery persistence privilege_escalation pyinstaller spyware stealer
- Drops startup file
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates processes with tasklist
  discovery
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

credential_accessdiscoverypersistenceprivilege_escalationpyinstallerspywarestealer

© 2018-2025

Terms | Privacy