b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rUtfalBbvXy6eEmMrseqpFHx.exe
Size

2.0MB
MD5

93156ea35c0014003d9e87bf82a79b33
SHA1

1eacd5ec484996a4dab233cd569c54d1594fb3a9
SHA256

c6ac7d4850131a5422da8170ed1a51f939c4b3b1f312478498e8aa7df374e840
SHA512

024611682daf2ca96112253d1b2cf8afed22639363c9684353a89e396a89e032a4f7ce8236557416e27dd635e3ee82b332aa3e0bfeba0affc439bdd28a3ea322
SSDEEP

49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral6/files/0x0008000000023c87-2.dat	Nirsoft
behavioral6/files/0x0009000000023c87-8.dat	Nirsoft
behavioral6/memory/4320-9-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral6/files/0x0009000000023c87-8.dat	WebBrowserPassView
behavioral6/memory/4320-9-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Executes dropped EXE 2 IoCs

pid	Process
3384	11111.exe
4320	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4320	11111.exe
4320	11111.exe
4320	11111.exe
4320	11111.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3384	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	83
PID 2100 wrote to memory of 3384	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	83
PID 2100 wrote to memory of 3384	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	83
PID 2100 wrote to memory of 4320	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	87
PID 2100 wrote to memory of 4320	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	87
PID 2100 wrote to memory of 4320	2100	rUtfalBbvXy6eEmMrseqpFHx.exe	87

C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe
"C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
7f0841790db9c7f1f082c81e976eb103

SHA1
18183bde138f7ceac2f15d9334a53be2c2db3016

SHA256
b32b0673cf09b8f215db036bfb0a6b878937779f5ca525e54f12cd04b27a651a

SHA512
35c6870ebbde32c7dced4100cdebf59cfd6dcf75acca39147971ae4703fb68c4071a2173446c8b67acd3d4d1b0c91dbdf6df157cd7d3ed75922821eeedf163c0

Download Submit
memory/4320-9-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download