crealstealer | b249966552a1b64b965003684e6ed94fbed7b92472c4127fdf21653a84771e0a | Triage

Sharing

General

Target

LunarPremium.rar
Size

14.1MB
Sample

241231-1k388atkan
MD5

ff5ee15242f48764b2edc32fc5509e57
SHA1

dff0d50bede893472a25c8d9ceecc17f331d5ac4
SHA256

b249966552a1b64b965003684e6ed94fbed7b92472c4127fdf21653a84771e0a
SHA512

aeddfd2ed55db71e7184945c2cffda3190d9c6c9f58c85904253a9dd67ad8279562d9b5bc497d01c3eb087dc43e9e18fe847072dc38ed291839417c5d751ce9a
SSDEEP

393216:xvd03n0BOxhr7t44HNetxAaWsyqUTwVUuxFUASuD:5wxhr7GqgAaW7qUT2UAS+

Score

10^/10

crealstealer credential_access discovery pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  LunarSpoofer/hwidspoof.exe
- Size
  
  14.3MB
- MD5
  
  0bab157a11bf6cb49f464f335f632114
- SHA1
  
  c3111056b6649a6c783cef6c4a7bac8beb30cb8f
- SHA256
  
  ffcc5b7fe6b090a601737ef13007714dd17af1019bbec008a3cc17714fcd3ce9
- SHA512
  
  86352eb26fed1cd80f7cf51c31688314b1da8ecd10c146c89fcd9064615cef0bf711f667c58100036106abf9a0cde2e5f540c9188a3c61353de09dd6ab3cd54f
- SSDEEP
  
  196608:Zf0sKYu/PaQ+Duvf7ndQmRJ8dA6lSuqaycBIGpEqo6hTOv+QKfwJnF7vDbrh/l56:fQPndQuslSq9RoWOv+9fgF/5spLcti
Score

7^/10

credential_access discovery spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2

credential_accessdiscoveryspywarestealer