ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733 | Triage

Submit
Reports

Overview

overview

Static

static

3

ef34d546cf...33.exe

windows7-x64

ef34d546cf...33.exe

windows10-2004-x64

Sharing

General

Target

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
Size

3.0MB
Sample

240701-e1w9yswdre
MD5

ee3f168d7d032b8ccce800b8bd63214b
SHA1

46c7808867be5eab309eb53dcf735827d4f59d95
SHA256

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
SHA512

e75ac3f0bafdc2d825fae6d50443a8efcfd8fd70816b81673aee6bc4f4fc39d563766586555874056883b4f1b0e55e99d2023152c8ddeedbf4897a353b2c56a1
SSDEEP

98304:pjlpHBlcfV6F0ozPrJKhZg+SWPzuNwOyoSe:pjlDlqsF90g+SWPWv

Score

10^/10

persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe

Resource

win7-20240508-en

persistence spyware stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733.exe

Resource

win10v2004-20240508-en

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
- Size
  
  3.0MB
- MD5
  
  ee3f168d7d032b8ccce800b8bd63214b
- SHA1
  
  46c7808867be5eab309eb53dcf735827d4f59d95
- SHA256
  
  ef34d546cf921e14c5a2508f616f03b237ee32b61184778e668b2175af086733
- SHA512
  
  e75ac3f0bafdc2d825fae6d50443a8efcfd8fd70816b81673aee6bc4f4fc39d563766586555874056883b4f1b0e55e99d2023152c8ddeedbf4897a353b2c56a1
- SSDEEP
  
  98304:pjlpHBlcfV6F0ozPrJKhZg+SWPzuNwOyoSe:pjlDlqsF90g+SWPWv
Score

10^/10

persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Detects executables packed with unregistered version of .NET Reactor
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2

© 2018-2024

Terms | Privacy