General

  • Target

    35749bf0399ad629dc18643c73dc0169dff7e1534ebc6fea6b91ff2363e8c4d9.zip

  • Size

    419KB

  • Sample

    201204-8rmn8davxn

  • MD5

    8c2d27a56077a54801acd009a1a69b73

  • SHA1

    a73abcf971326cecabd9816e8ae3d085a136cf37

  • SHA256

    abb7ef4998575a79e1052090eee42f15454248bdccd5f71be080ca7e22b4150a

  • SHA512

    0d344ecbd7cb54e98979250fe4eb87f37f3ea9938125edcfe7c6bdecc7d3843e7451261f3505644c252d67f1ed9746064a4bedfe041b4cb21b8a1bbff5b3d917

Malware Config

Targets

    • Target

      35749bf0399ad629dc18643c73dc0169dff7e1534ebc6fea6b91ff2363e8c4d9

    • Size

      517KB

    • MD5

      a2ff7286733081bdee0489c9ef2eab7c

    • SHA1

      ae5d578f6cef3b2c64abeaccb581b77d200201d9

    • SHA256

      35749bf0399ad629dc18643c73dc0169dff7e1534ebc6fea6b91ff2363e8c4d9

    • SHA512

      270966ff3ec07c445a24d60d18c19720e5bdf9da601542eb19a7530ef19a1337589133eacd5d5faf6b8a189cac5ac8284f635199900762b3c2b6c06dbd295b0b

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks