ioc[.]one - OSINT Cyber Threat Intelligence Database

PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users

Tags

cmtmf-attack-pattern:	Application Layer Protocol Process Injection
country:	Belarus Kazakhstan Russia Ukraine
attack-pattern:	Data Software Discovery - T1418 Application Layer Protocol - T1437 Credentials - T1589.001 Credentials From Password Stores - T1555 Exfiltration Over C2 Channel - T1646 Hardware - T1592.001 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Process Hollowing - T1055.012 Process Injection - T1631 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Discovery - T1518 Steal Application Access Token - T1528 Steal Application Access Token - T1635 Steal Web Session Cookie - T1539 Virtualization/Sandbox Evasion - T1497 Unsecured Credentials - T1552 Virtualization/Sandbox Evasion - T1633 Standard Application Layer Protocol - T1071 Browser Extensions - T1176 Deobfuscate/Decode Files Or Information - T1140 Exfiltration Over Command And Control Channel - T1041 Process Hollowing - T1093 Process Injection - T1055 Screen Capture - T1113 System Service Discovery - T1007 System Time Discovery - T1124 User Execution - T1204 Screen Capture User Execution

Show in Graph

Common Information

Type	Value
UUID	01913a95-9606-4ded-aeb5-7225b0d01941
Fingerprint	bfa42a60aef30401
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 30, 2022, midnight
Added to db	Oct. 24, 2023, 1:43 p.m.
Last updated	Nov. 16, 2024, 8:07 p.m.
Headline	PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users
Title	PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users
Detected Hints/Tags/Attributes	101/3/68

Source URLs

	Redirection	Url
Details	Redirection	https://blog.cyble.com/2022/06/30/infostealer/
Details	Source	https://cyble.com/blog/infostealer/

URL Provider

Details	Provider	Source level domain
Details	cyble.com	cyble.com
Details	cyble.com	blog.cyble.com

Attributes

Details	Type	#Events	Value
Details	File	48	applaunch.exe
Details	File	60	cookies.sql
Details	File	41	key4.db
Details	File	8	login.json
Details	File	3	_cookies.txt
Details	File	5	processes.txt
Details	File	20	screenshot.jpg
Details	File	45	information.txt
Details	File	6	software.txt
Details	md5	1	9D16FBEF0D8A8F87529DE06A1C43C737
Details	md5	1	eef01a6152c5a7ecd4e952e8086abdb3
Details	md5	1	66502250f78c6f61e7725a3daa0f4220
Details	md5	1	a1249d31ea72e00055286c94592bc0e3
Details	md5	1	e062fedb25bbf55894711100c35130c1
Details	md5	1	f71d077c9889d005c8c71f3a2fe20fd0
Details	md5	1	a6064cd1760ea08973b20bdc0e7ea699
Details	md5	1	c9ac6deb0ef78785d469033117411e3d
Details	md5	1	da9f8ec6d3337315435fa9d9d7868980
Details	md5	1	d72619b4ededa0f8cfe9554557bf2c7f
Details	md5	1	215c203f7f3e3f63c5ae9e35d8625463
Details	md5	1	ece1ffba058735ab9521ee1ed5cf969c
Details	md5	1	f0807f8ec6349d726b19713ece98c57b
Details	md5	1	88facb451a849d37a272ab9a7a83a47c
Details	sha1	1	fd3c1844af6af1552ff08e88c1553cc6565fe455
Details	sha1	1	8cfc5d40a8008e91464fd89a1d6cb3a7b3b7a282
Details	sha1	1	8644ac0cc1a805f1682a0b0f65052a1835e599b1
Details	sha1	1	b28568c19eaafd0e8212b81ea7b87340554e1340
Details	sha1	1	2ba8275af7b7708a7f79bb442c980ec3d3c04b91
Details	sha1	1	c5f3342e9fcc159eef81a459d54eb7b6ce80feb1
Details	sha1	1	15622e8ec3ec4c29f09b3871678199599d285e43
Details	sha1	1	ebf6edd68e97bd13d4ed3e878c7bd11dfb5a628c
Details	sha1	1	ee456a4b32eff2eddf14c6ae5385d977081308b4
Details	sha1	1	b6bfbbd9c49cc94e4fcab413f62a12bb23485cdf
Details	sha1	1	35a06ba7f2cffaf5c2f97c7fe02d235c6317ebf2
Details	sha1	1	e341cd9abfca8e02bef0d0af94343949a23ce6c4
Details	sha1	1	27c66fa23f8af20be0234f95b35e64ccea7d73ae
Details	sha256	1	e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0
Details	sha256	1	3bbd6cdbc70a5517e5f39ed9dfad0897d5b200feecd73d666299876e35fa4c90
Details	sha256	1	05854ea1958ef0969a2c717ce6cb0c67cd3bcd327badac6aa7925d95a0b11232
Details	sha256	1	01c83c32ab5c2f0fda5c04aee7b02dc30d59c91c1db70e168a6cc1215cc53ab7
Details	sha256	1	c5e9d0aa26ca6255559708bcf957d79e3adb4d2b08146cd765182f7b834227f4
Details	sha256	1	dcd2c2073c227e5b496ca0cb13e31d18b45899dca0de1633f2eeb25d264258de
Details	sha256	1	bc709e3aea5732c3d07c7f59ea22f8a5c026e45558d0e2aa3fb35ac78f39d9f4
Details	sha256	1	0eb43cef2e674aa72b24cccd36b349ce0e4eb347c0fbf373bc53c97713e8e94f
Details	sha256	1	117d5155fe3659a816f10faf859ff68c6094457eb1902d6699df74fac309befd
Details	sha256	1	4da90f77a26a16eee48cb73ca920e681974554be0d87a225e7ad9416adbf34c6
Details	sha256	1	bc51e019e91bbb8e704ee4b7027dab4f7168b3b4e947e83d43bf4c488aa2b612
Details	sha256	1	6dbeb13c7efbd62561bf2fea3b1e3d36021e701b80a993e28498182d0884ce6f
Details	sha256	1	bf46b901e1899533629b751f28bd4adab3f11f0ddf8b509c9f90af25a1a73b5b
Details	sha256	1	5b11938d67a8a0c629bf4ec1f8b77c6ba0910546984d4d983f43a25d4e7b72ac
Details	IPv4	1	185.246.116.237
Details	MITRE ATT&CK Techniques	420	T1204
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	MITRE ATT&CK Techniques	172	T1555
Details	MITRE ATT&CK Techniques	99	T1539
Details	MITRE ATT&CK Techniques	113	T1552
Details	MITRE ATT&CK Techniques	40	T1528
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	86	T1124
Details	MITRE ATT&CK Techniques	100	T1007
Details	MITRE ATT&CK Techniques	444	T1071
Details	MITRE ATT&CK Techniques	422	T1041
Details	Url	1	http://185.246.116.237
Details	Windows Registry Key	14	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Details	Windows Registry Key	2	HKEY_CURRENT_USER\Software\Blockchain_name