crealstealer | 1a02d0b18d3225c47d3ac9ad4f0c24a889bcf24fc9d3ddff71842d78e4549d9b | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

Creal.exe

windows7-x64

7

Creal.exe

windows10-2004-x64

7

Sharing

General

Target

Creal.exe
Size

10.8MB
Sample

250316-sfdh1axjx6
MD5

e4692be030a3f7f1b23aa10425daaa4f
SHA1

9443fa19fb06721cfa772026939a5fed310704b6
SHA256

1a02d0b18d3225c47d3ac9ad4f0c24a889bcf24fc9d3ddff71842d78e4549d9b
SHA512

207921b5d0b3a7ca6238928db67a346515c61ba0b4fc5b5778150646ad837efe6c85b9425361066b221aba00d45412675caa249d7e86dbba261c18f7975f3242
SSDEEP

196608:e0uEqWQ3xfpTgdQmRJ8dA6lSuqaycBIGpEKo6hTOv+QKfFqTeKq/lVUwfW5UqKUd:013bgdQuslSq9foWOv+9fFG2Ve5Ftx

Score

10^/10

crealstealer credential_access pyinstaller spyware stealer

Static task

static1

pyinstaller crealstealer

4 signatures

Behavioral task

behavioral1

Sample

Creal.exe

Resource

win7-20250207-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

Creal.exe

Resource

win10v2004-20250314-en

credential_access spyware stealer

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Targets

- Target
  
  Creal.exe
- Size
  
  10.8MB
- MD5
  
  e4692be030a3f7f1b23aa10425daaa4f
- SHA1
  
  9443fa19fb06721cfa772026939a5fed310704b6
- SHA256
  
  1a02d0b18d3225c47d3ac9ad4f0c24a889bcf24fc9d3ddff71842d78e4549d9b
- SHA512
  
  207921b5d0b3a7ca6238928db67a346515c61ba0b4fc5b5778150646ad837efe6c85b9425361066b221aba00d45412675caa249d7e86dbba261c18f7975f3242
- SSDEEP
  
  196608:e0uEqWQ3xfpTgdQmRJ8dA6lSuqaycBIGpEKo6hTOv+QKfFqTeKq/lVUwfW5UqKUd:013bgdQuslSq9foWOv+9fFG2Ve5Ftx
Score

7^/10

credential_access spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercrealstealer

behavioral1

behavioral2

credential_accessspywarestealer

© 2018-2025

Terms | Privacy