General

  • Target

    FileZilla_3.50.0_win64_sponsored-setup.exe

  • Size

    12MB

  • Sample

    200923-qld6nykx52

  • MD5

    90f560ce71cc77fc2e121761eeef265c

  • SHA1

    85ff0ad4728e31539e1d3757a543d47e9cd42f74

  • SHA256

    d04bbcd2855d3bba4627cbb1da3a0e5fa79fe0b27b371024605ff1382ea94c58

  • SHA512

    c5a6b3890743ff0f1ea3f6fc9c2f28cf70e9f47c4067830ca63b38c3a1b10d386dc0d889c3041a553876b4a14fafd094f4a7d41279273b85148d6a8f9b9d54e1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\{4DA8EC67-B574-438A-8C80-DAE8320E18CB}\String1033.txt

Ransom Note
DN_AlwaysInstall=Always Install IDPROP_EXPRESS_LAUNCH_CONDITION_COLOR=The color settings of your system are not adequate for running [ProductName]. IDPROP_EXPRESS_LAUNCH_CONDITION_OS=The operating system is not adequate for running [ProductName]. IDPROP_EXPRESS_LAUNCH_CONDITION_PROCESSOR=The processor is not adequate for running [ProductName]. IDPROP_EXPRESS_LAUNCH_CONDITION_RAM=The amount of RAM is not adequate for running [ProductName]. IDPROP_EXPRESS_LAUNCH_CONDITION_SCREEN=The screen resolution is not adequate for running [ProductName]. IDPROP_SETUPTYPE_COMPACT=Compact IDPROP_SETUPTYPE_COMPACT_DESC=Compact Description IDPROP_SETUPTYPE_COMPLETE=Complete IDPROP_SETUPTYPE_COMPLETE_DESC=Complete IDPROP_SETUPTYPE_CUSTOM=Custom IDPROP_SETUPTYPE_CUSTOM_DESC=Custom Description IDPROP_SETUPTYPE_CUSTOM_DESC_PRO=Custom IDPROP_SETUPTYPE_TYPICAL=Typical IDPROP_SETUPTYPE_TYPICAL_DESC=Typical Description IDS_ACTIONTEXT_Advertising=Advertising application IDS_ACTIONTEXT_AllocatingRegistry=Allocating registry space IDS_ACTIONTEXT_AppCommandLine=Application: [1], Command line: [2] IDS_ACTIONTEXT_AppId=AppId: [1]{{, AppType: [2]}} IDS_ACTIONTEXT_AppIdAppTypeRSN=AppId: [1]{{, AppType: [2], Users: [3], RSN: [4]}} IDS_ACTIONTEXT_Application=Application: [1] IDS_ACTIONTEXT_BindingExes=Binding executables IDS_ACTIONTEXT_ClassId=Class ID: [1] IDS_ACTIONTEXT_ClsID=Class ID: [1] IDS_ACTIONTEXT_ComponentIDQualifier=Component ID: [1], Qualifier: [2] IDS_ACTIONTEXT_ComponentIdQualifier2=Component ID: [1], Qualifier: [2] IDS_ACTIONTEXT_ComputingSpace=Computing space requirements IDS_ACTIONTEXT_ComputingSpace2=Computing space requirements IDS_ACTIONTEXT_ComputingSpace3=Computing space requirements IDS_ACTIONTEXT_ContentTypeExtension=MIME Content Type: [1], Extension: [2] IDS_ACTIONTEXT_ContentTypeExtension2=MIME Content Type: [1], Extension: [2] IDS_ACTIONTEXT_CopyingNetworkFiles=Copying files to the network IDS_ACTIONTEXT_CopyingNewFiles=Copying new files IDS_ACTIONTEXT_CreatingDuplicate=Creating duplicate files IDS_ACTIONTEXT_CreatingFolders=Creating folders IDS_ACTIONTEXT_CreatingIISRoots=Creating IIS Virtual Roots... IDS_ACTIONTEXT_CreatingShortcuts=Creating shortcuts IDS_ACTIONTEXT_DeletingServices=Deleting services IDS_ACTIONTEXT_EnvironmentStrings=Updating environment strings IDS_ACTIONTEXT_EvaluateLaunchConditions=Evaluating launch conditions IDS_ACTIONTEXT_Extension=Extension: [1] IDS_ACTIONTEXT_Extension2=Extension: [1] IDS_ACTIONTEXT_Feature=Feature: [1] IDS_ACTIONTEXT_FeatureColon=Feature: [1] IDS_ACTIONTEXT_File=File: [1] IDS_ACTIONTEXT_File2=File: [1] IDS_ACTIONTEXT_FileDependencies=File: [1], Dependencies: [2] IDS_ACTIONTEXT_FileDir=File: [1], Directory: [9] IDS_ACTIONTEXT_FileDir2=File: [1], Directory: [9] IDS_ACTIONTEXT_FileDir3=File: [1], Directory: [9] IDS_ACTIONTEXT_FileDirSize=File: [1], Directory: [9], Size: [6] IDS_ACTIONTEXT_FileDirSize2=File: [1], Directory: [9], Size: [6] IDS_ACTIONTEXT_FileDirSize3=File: [1], Directory: [9], Size: [6] IDS_ACTIONTEXT_FileDirSize4=File: [1], Directory: [2], Size: [3] IDS_ACTIONTEXT_FileDirectorySize=File: [1], Directory: [9], Size: [6] IDS_ACTIONTEXT_FileFolder=File: [1], Folder: [2] IDS_ACTIONTEXT_FileFolder2=File: [1], Folder: [2] IDS_ACTIONTEXT_FileSectionKeyValue=File: [1], Section: [2], Key: [3], Value: [4] IDS_ACTIONTEXT_FileSectionKeyValue2=File: [1], Section: [2], Key: [3], Value: [4] IDS_ACTIONTEXT_Folder=Folder: [1] IDS_ACTIONTEXT_Folder1=Folder: [1] IDS_ACTIONTEXT_Font=Font: [1] IDS_ACTIONTEXT_Font2=Font: [1] IDS_ACTIONTEXT_FoundApp=Found application: [1] IDS_ACTIONTEXT_FreeSpace=Free space: [1] IDS_ACTIONTEXT_GeneratingScript=Generating script operations for action: IDS_ACTIONTEXT_ISLockPermissionsCost=Gathering permissions information for objects... IDS_ACTIONTEXT_ISLockPermissionsInstall=Applying permissions information for objects... IDS_ACTIONTEXT_InitializeODBCDirs=Initializing ODBC directories IDS_ACTIONTEXT_InstallODBC=Installing ODBC components IDS_ACTIONTEXT_InstallServices=Installing new services IDS_ACTIONTEXT_InstallingSystemCatalog=Installing system catalog IDS_ACTIONTEXT_KeyName=Key: [1], Name: [2] IDS_ACTIONTEXT_KeyNameValue=Key: [1], Name: [2], Value: [3] IDS_ACTIONTEXT_MigratingFeatureStates=Migrating feature states from related applications IDS_ACTIONTEXT_MovingFiles=Moving files IDS_ACTIONTEXT_NameValueAction=Name: [1], Value: [2], Action [3] IDS_ACTIONTEXT_NameValueAction2=Name: [1], Value: [2], Action [3] IDS_ACTIONTEXT_PatchingFiles=Patching files IDS_ACTIONTEXT_ProgID=ProgID: [1] IDS_ACTIONTEXT_ProgID2=ProgID: [1] IDS_ACTIONTEXT_PropertySignature=Property: [1], Signature: [2] IDS_ACTIONTEXT_PublishProductFeatures=Publishing product features IDS_ACTIONTEXT_PublishProductInfo=Publishing product information IDS_ACTIONTEXT_PublishingQualifiedComponents=Publishing qualified components IDS_ACTIONTEXT_RegUser=Registering user IDS_ACTIONTEXT_RegisterClassServer=Registering class servers IDS_ACTIONTEXT_RegisterExtensionServers=Registering extension servers IDS_ACTIONTEXT_RegisterFonts=Registering fonts IDS_ACTIONTEXT_RegisterMimeInfo=Registering MIME info IDS_ACTIONTEXT_RegisterTypeLibs=Registering type libraries IDS_ACTIONTEXT_RegisteringComPlus=Registering COM+ Applications and Components IDS_ACTIONTEXT_RegisteringModules=Registering modules IDS_ACTIONTEXT_RegisteringProduct=Registering product IDS_ACTIONTEXT_RegisteringProgIdentifiers=Registering program identifiers IDS_ACTIONTEXT_RemoveApps=Removing applications IDS_ACTIONTEXT_RemovingBackup=Removing backup files IDS_ACTIONTEXT_RemovingDuplicates=Removing duplicated files IDS_ACTIONTEXT_RemovingFiles=Removing files IDS_ACTIONTEXT_RemovingFolders=Removing folders IDS_ACTIONTEXT_RemovingIISRoots=Removing IIS Virtual Roots... IDS_ACTIONTEXT_RemovingIni=Removing INI file entries IDS_ACTIONTEXT_RemovingMoved=Removing moved files IDS_ACTIONTEXT_RemovingODBC=Removing ODBC components IDS_ACTIONTEXT_RemovingRegistry=Removing system registry values IDS_ACTIONTEXT_RemovingShortcuts=Removing shortcuts IDS_ACTIONTEXT_RollingBack=Rolling back action: IDS_ACTIONTEXT_SearchForRelated=Searching for related applications IDS_ACTIONTEXT_SearchInstalled=Searching for installed applications IDS_ACTIONTEXT_SearchingQualifyingProducts=Searching for qualifying products IDS_ACTIONTEXT_SearchingQualifyingProducts2=Searching for qualifying products IDS_ACTIONTEXT_Service=Service: [1] IDS_ACTIONTEXT_Service2=Service: [2] IDS_ACTIONTEXT_Service3=Service: [1] IDS_ACTIONTEXT_Service4=Service: [1] IDS_ACTIONTEXT_Shortcut=Shortcut: [1] IDS_ACTIONTEXT_Shortcut1=Shortcut: [1] IDS_ACTIONTEXT_StartingServices=Starting services IDS_ACTIONTEXT_StoppingServices=Stopping services IDS_ACTIONTEXT_UnpublishProductFeatures=Unpublishing product features IDS_ACTIONTEXT_UnpublishQualified=Unpublishing Qualified Components IDS_ACTIONTEXT_UnpublishingProductInfo=Unpublishing product information IDS_ACTIONTEXT_UnregTypeLibs=Unregistering type libraries IDS_ACTIONTEXT_UnregisterClassServers=Unregister class servers IDS_ACTIONTEXT_UnregisterExtensionServers=Unregistering extension servers IDS_ACTIONTEXT_UnregisterModules=Unregistering modules IDS_ACTIONTEXT_UnregisteringComPlus=Unregistering COM+ Applications and Components IDS_ACTIONTEXT_UnregisteringFonts=Unregistering fonts IDS_ACTIONTEXT_UnregisteringMimeInfo=Unregistering MIME info IDS_ACTIONTEXT_UnregisteringProgramIds=Unregistering program identifiers IDS_ACTIONTEXT_UpdateComponentRegistration=Updating component registration IDS_ACTIONTEXT_UpdateEnvironmentStrings=Updating environment strings IDS_ACTIONTEXT_Validating=Validating install IDS_ACTIONTEXT_WritingINI=Writing INI file values IDS_ACTIONTEXT_WritingRegistry=Writing system registry values IDS_BACK=< &Back IDS_CANCEL=Cancel IDS_CANCEL2=&Cancel IDS_CHANGE=&Change... IDS_COMPLUS_PROGRESSTEXT_COST=Costing COM+ application: [1] IDS_COMPLUS_PROGRESSTEXT_INSTALL=Installing COM+ application: [1] IDS_COMPLUS_PROGRESSTEXT_UNINSTALL=Uninstalling COM+ application: [1] IDS_DIALOG_TEXT2_DESCRIPTION=Dialog Normal Description IDS_DIALOG_TEXT_DESCRIPTION_EXTERIOR={&TahomaBold10}Dialog Bold Title IDS_DIALOG_TEXT_DESCRIPTION_INTERIOR={&MSSansBold8}Dialog Bold Title IDS_DIFX_AMD64=[ProductName] requires an X64 processor. Click OK to exit the wizard. IDS_DIFX_IA64=[ProductName] requires an IA64 processor. Click OK to exit the wizard. IDS_DIFX_X86=[ProductName] requires an X86 processor. Click OK to exit the wizard. IDS_DatabaseFolder_InstallDatabaseTo=Install [ProductName] database to: IDS_ERROR_0={{Fatal error: }} IDS_ERROR_1=Error [1]. IDS_ERROR_10==== Logging started: [Date] [Time] === IDS_ERROR_100=Could not remove shortcut [2]. Verify that the shortcut file exists and that you can access it. IDS_ERROR_101=Could not register type library for file [2]. Contact your support personnel. IDS_ERROR_102=Could not unregister type library for file [2]. Contact your support personnel. IDS_ERROR_103=Could not update the INI file [2][3]. Verify that the file exists and that you can access it. IDS_ERROR_104=Could not schedule file [2] to replace file [3] on reboot. Verify that you have write permissions to file [3]. IDS_ERROR_105=Error removing ODBC driver manager, ODBC error [2]: [3]. Contact your support personnel. IDS_ERROR_106=Error installing ODBC driver manager, ODBC error [2]: [3]. Contact your support personnel. IDS_ERROR_107=Error removing ODBC driver [4], ODBC error [2]: [3]. Verify that you have sufficient privileges to remove ODBC drivers. IDS_ERROR_108=Error installing ODBC driver [4], ODBC error [2]: [3]. Verify that the file [4] exists and that you can access it. IDS_ERROR_109=Error configuring ODBC data source [4], ODBC error [2]: [3]. Verify that the file [4] exists and that you can access it. IDS_ERROR_11==== Logging stopped: [Date] [Time] === IDS_ERROR_110=Service [2] ([3]) failed to start. Verify that you have sufficient privileges to start system services. IDS_ERROR_111=Service [2] ([3]) could not be stopped. Verify that you have sufficient privileges to stop system services. IDS_ERROR_112=Service [2] ([3]) could not be deleted. Verify that you have sufficient privileges to remove system services. IDS_ERROR_113=Service [2] ([3]) could not be installed. Verify that you have sufficient privileges to install system services. IDS_ERROR_114=Could not update environment variable [2]. Verify that you have sufficient privileges to modify environment variables. IDS_ERROR_115=You do not have sufficient privileges to complete this installation for all users of the machine. Log on as an administrator and then retry this installation. IDS_ERROR_116=Could not set file security for file [3]. Error: [2]. Verify that you have sufficient privileges to modify the security permissions for this file. IDS_ERROR_117=Component Services (COM+ 1.0) are not installed on this computer. This installation requires Component Services in order to complete successfully. Component Services are available on Windows 2000. IDS_ERROR_118=Error registering COM+ application. Contact your support personnel for more information. IDS_ERROR_119=Error unregistering COM+ application. Contact your support personnel for more information. IDS_ERROR_12=Action start [Time]: [1]. IDS_ERROR_120=Removing older versions of this application IDS_ERROR_121=Preparing to remove older versions of this application IDS_ERROR_122=Error applying patch to file [2]. It has probably been updated by other means, and can no longer be modified by this patch. For more information contact your patch vendor. {{System Error: [3]}} IDS_ERROR_123=[2] cannot install one of its required products. Contact your technical support group. {{System Error: [3].}} IDS_ERROR_124=The older version of [2] cannot be removed. Contact your technical support group. {{System Error [3].}} IDS_ERROR_125=The description for service '[2]' ([3]) could not be changed. IDS_ERROR_126=The Windows Installer service cannot update the system file [2] because the file is protected by Windows. You may need to update your operating system for this program to work correctly. {{Package version: [3], OS Protected version: [4]}} IDS_ERROR_127=The Windows Installer service cannot update the protected Windows file [2]. {{Package version: [3], OS Protected version: [4], SFP Error: [5]}} IDS_ERROR_128=The Windows Installer service cannot update one or more protected Windows files. SFP Error: [2]. List of protected files: [3] IDS_ERROR_129=User installations are disabled via policy on the machine. IDS_ERROR_13=Action ended [Time]: [1]. Return value [2]. IDS_ERROR_130=This setup requires Internet Information Server for configuring IIS Virtual Roots. Please make sure that you have IIS installed. IDS_ERROR_131=This setup requires Administrator privileges for configuring IIS Virtual Roots. IDS_ERROR_1329=A file that is required cannot be installed because the cabinet file [2] is not digitally signed. This may indicate that the cabinet file is corrupt. IDS_ERROR_1330=A file that is required cannot be installed because the cabinet file [2] has an invalid digital signature. This may indicate that the cabinet file is corrupt.{ Error [3] was returned by WinVerifyTrust.} IDS_ERROR_1331=Failed to correctly copy [2] file: CRC error. IDS_ERROR_1332=Failed to correctly patch [2] file: CRC error. IDS_ERROR_1333=Failed to correctly patch [2] file: CRC error. IDS_ERROR_1334=The file '[2]' cannot be installed because the file cannot be found in cabinet file '[3]'. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package. IDS_ERROR_1335=The cabinet file '[2]' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package. IDS_ERROR_1336=There was an error creating a temporary file that is needed to complete this installation. Folder: [3]. System error code: [2] IDS_ERROR_14=Time remaining: {[1] minutes }{[2] seconds} IDS_ERROR_15=Out of memory. Shut down other applications before retrying. IDS_ERROR_16=Installer is no longer responding. IDS_ERROR_1609=An error occurred while applying security settings. [2] is not a valid user or group. This could be a problem with the package, or a problem connecting to a domain controller on the network. Check your network connection and click Retry, or Cancel to end the install. Unable to locate the user's SID, system error [3] IDS_ERROR_1651=Admin user failed to apply patch for a per-user managed or a per-machine application which is in advertise state. IDS_ERROR_17=Installer terminated prematurely. IDS_ERROR_1715=Installed [2]. IDS_ERROR_1716=Configured [2]. IDS_ERROR_1717=Removed [2]. IDS_ERROR_1718=File [2] was rejected by digital signature policy. IDS_ERROR_1719=Windows Installer service could not be accessed. Contact your support personnel to verify that it is properly registered and enabled. IDS_ERROR_1720=There is a problem with this Windows Installer package. A script required for this install to complete could not be run. Contact your support personnel or package vendor. Custom action [2] script error [3], [4]: [5] Line [6], Column [7], [8] IDS_ERROR_1721=There is a problem with this Windows Installer package. A program required for this install to complete could not be run. Contact your support personnel or package vendor. Action: [2], location: [3], command: [4] IDS_ERROR_1722=There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action [2], location: [3], command: [4] IDS_ERROR_1723=There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor. Action [2], entry: [3], library: [4] IDS_ERROR_1724=Removal completed successfully. IDS_ERROR_1725=Removal failed. IDS_ERROR_1726=Advertisement completed successfully. IDS_ERROR_1727=Advertisement failed. IDS_ERROR_1728=Configuration completed successfully. IDS_ERROR_1729=Configuration failed. IDS_ERROR_1730=You must be an Administrator to remo

Targets

    • Target

      FileZilla_3.50.0_win64_sponsored-setup.exe

    • Size

      12MB

    • MD5

      90f560ce71cc77fc2e121761eeef265c

    • SHA1

      85ff0ad4728e31539e1d3757a543d47e9cd42f74

    • SHA256

      d04bbcd2855d3bba4627cbb1da3a0e5fa79fe0b27b371024605ff1382ea94c58

    • SHA512

      c5a6b3890743ff0f1ea3f6fc9c2f28cf70e9f47c4067830ca63b38c3a1b10d386dc0d889c3041a553876b4a14fafd094f4a7d41279273b85148d6a8f9b9d54e1

    • Registers COM server for autorun

    • Blacklisted process makes network request

    • Creates new service(s)

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • JavaScript code in executable

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

New Service

1
T1050

Browser Extensions

1
T1176

Privilege Escalation

New Service

1
T1050

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks