dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab | Triage

Sharing

General

Target

RFQ Request For Quotation.doc. .exe
Size

1.0MB
Sample

200709-wka4avlsbe
MD5

087a1ecc3d720b786d8cc8544bc469ed
SHA1

721623d6904a1c9e8168c3f104840490b5b52491
SHA256

dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab
SHA512

ae12605396dc568f7da9d9fdfb5518bcedea190c0c7f3d39d9773c76fee41bc5f0daf966ca31bba6acccdc5be867e64a30c6c1deed2425713db1226c196d5981

Score

10^/10

evasion persistence spyware

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftps4.us.freehostia.com
Port:
21
Username:
jumshi
Password:
winniebobo

Targets

- Target
  
  RFQ Request For Quotation.doc. .exe
- Size
  
  1.0MB
- MD5
  
  087a1ecc3d720b786d8cc8544bc469ed
- SHA1
  
  721623d6904a1c9e8168c3f104840490b5b52491
- SHA256
  
  dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab
- SHA512
  
  ae12605396dc568f7da9d9fdfb5518bcedea190c0c7f3d39d9773c76fee41bc5f0daf966ca31bba6acccdc5be867e64a30c6c1deed2425713db1226c196d5981
Score

10^/10

evasion persistence spyware
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Modifies service
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Modify Existing Service

Privilege Escalation

Defense Evasion

Disabling Security Tools

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

evasionpersistencespyware

behavioral2