48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901 | Triage

Sharing

General

Target

KSP QUOTE_2.exe
Size

527KB
Sample

200709-3meh9pj372
MD5

187a269d103856e0d922e71e26046ac4
SHA1

3b9c201ceff06148739d6c59e3a20c2048e8a9fe
SHA256

48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
SHA512

9bedef76d5de703b32123c130aa27f0efd5850e395c2601ab030162872b5c06f68e1439282d9cef9a7133416ee23ed657f2da8f3d9e39ab5db39ad6c8c1ad66b

Score

8^/10

evasion persistence spyware trojan

Malware Config

Targets

- Target
  
  KSP QUOTE_2.exe
- Size
  
  527KB
- MD5
  
  187a269d103856e0d922e71e26046ac4
- SHA1
  
  3b9c201ceff06148739d6c59e3a20c2048e8a9fe
- SHA256
  
  48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
- SHA512
  
  9bedef76d5de703b32123c130aa27f0efd5850e395c2601ab030162872b5c06f68e1439282d9cef9a7133416ee23ed657f2da8f3d9e39ab5db39ad6c8c1ad66b
Score

8^/10

evasion trojan persistence spyware
- Adds Run entry to policy start application
  persistence
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistencespyware