General

  • Target

    New order.exe

  • Size

    639KB

  • Sample

    201109-cyf1ke1mnx

  • MD5

    8652ae4ebceeda4f66f430255abc91e3

  • SHA1

    16ca224eb2cfe507f40a9db03eb5bdb7befc373f

  • SHA256

    cbeefe51466bc72c1d6ac6d8a24c4da9a9c8f66d2e388a057bb6ce5c197c152d

  • SHA512

    7e207dacc4b3e1473af11aa9ebb43c9f25913347716b3c1857a50af8fe75ded6913fe29d2c19c1232c9cc8c899c90029f6a7348e974be2e534350a8bc10ac138

Malware Config

Targets

    • Target

      New order.exe

    • Size

      639KB

    • MD5

      8652ae4ebceeda4f66f430255abc91e3

    • SHA1

      16ca224eb2cfe507f40a9db03eb5bdb7befc373f

    • SHA256

      cbeefe51466bc72c1d6ac6d8a24c4da9a9c8f66d2e388a057bb6ce5c197c152d

    • SHA512

      7e207dacc4b3e1473af11aa9ebb43c9f25913347716b3c1857a50af8fe75ded6913fe29d2c19c1232c9cc8c899c90029f6a7348e974be2e534350a8bc10ac138

    • 404 Keylogger

      Information stealer and keylogger first seen in 2019.

    • 404 Keylogger Main Executable

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks