a70fef725d796b5adb74d12567424fe976af6539cc49d7c0fb9cfbf5812edb03 | Triage

Sharing

General

Target

FedEx's AWB#530532320464350.pdf.exe
Size

881KB
Sample

200717-tkx6aentrn
MD5

566a9a9781b506b65ad41174cfcd6c77
SHA1

a51ad73695c95981edfb03fd5ccdb2eec11ff472
SHA256

a70fef725d796b5adb74d12567424fe976af6539cc49d7c0fb9cfbf5812edb03
SHA512

a5880fe29cd4145c919754fc5ac7f3331cfd9e70be79f2ddd36e7e2ebd43360097d9087898ac0680ee71effd9272b98988d293317a8f57f7903631b9b935c602

Score

8^/10

persistence spyware

Malware Config

Targets

- Target
  
  FedEx's AWB#530532320464350.pdf.exe
- Size
  
  881KB
- MD5
  
  566a9a9781b506b65ad41174cfcd6c77
- SHA1
  
  a51ad73695c95981edfb03fd5ccdb2eec11ff472
- SHA256
  
  a70fef725d796b5adb74d12567424fe976af6539cc49d7c0fb9cfbf5812edb03
- SHA512
  
  a5880fe29cd4145c919754fc5ac7f3331cfd9e70be79f2ddd36e7e2ebd43360097d9087898ac0680ee71effd9272b98988d293317a8f57f7903631b9b935c602
Score

8^/10

spyware persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

spywarepersistence

behavioral2