b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03

General

Target

rUtfalBbvXy6eEmMrseqpFHx.exe
Size

2.0MB
MD5

93156ea35c0014003d9e87bf82a79b33
SHA1

1eacd5ec484996a4dab233cd569c54d1594fb3a9
SHA256

c6ac7d4850131a5422da8170ed1a51f939c4b3b1f312478498e8aa7df374e840
SHA512

024611682daf2ca96112253d1b2cf8afed22639363c9684353a89e396a89e032a4f7ce8236557416e27dd635e3ee82b332aa3e0bfeba0affc439bdd28a3ea322
SSDEEP

49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral5/files/0x0007000000012117-4.dat	Nirsoft
behavioral5/files/0x0008000000012117-13.dat	Nirsoft
behavioral5/memory/2328-15-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral5/files/0x0008000000012117-13.dat	WebBrowserPassView
behavioral5/memory/2328-15-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

pid	Process
2984	11111.exe
2328	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2328	11111.exe
2328	11111.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2984	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	30
PID 3020 wrote to memory of 2984	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	30
PID 3020 wrote to memory of 2984	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	30
PID 3020 wrote to memory of 2984	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	30
PID 3020 wrote to memory of 2328	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	31
PID 3020 wrote to memory of 2328	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	31
PID 3020 wrote to memory of 2328	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	31
PID 3020 wrote to memory of 2328	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	31
PID 3020 wrote to memory of 2444	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	33
PID 3020 wrote to memory of 2444	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	33
PID 3020 wrote to memory of 2444	3020	rUtfalBbvXy6eEmMrseqpFHx.exe	33

C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe
"C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3020 -s 476
  2⤵
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
246B

MD5
46183ada973d3bfaab7be726c800e96e

SHA1
7fcb7272b04d8b1caaf1343ec720461ca79f45c2

SHA256
0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f

SHA512
338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
memory/2328-15-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing