General

  • Target

    Vape.bin.zip

  • Size

    1.1MB

  • Sample

    210105-twlv3x4yts

  • MD5

    46507506e8a38ddb240258066664083f

  • SHA1

    9fba1caee74179138cf5a30ca68159d3efb99dab

  • SHA256

    9f714adc9de1c111fb4db196aa7ee2089fb9eb6942fb030a2a71431c4eef5517

  • SHA512

    8af1a4977b323a94da1e678b985d7fd11b4aa8dcdeb7504527d3b2d234d4e8e39ec156f08970a8cc8cc465bf5bc5ff89ca1c28ace82990464c26ef1dacfd4164

Malware Config

Targets

    • Target

      Vape.bin

    • Size

      3.0MB

    • MD5

      dad51e4898b39812e8a03214e612c795

    • SHA1

      1d20dc5a9d8b1d0d67df0169f26e6af6c6481e06

    • SHA256

      4c9666fd8b845f51714d4a52f3b219bfb317835af164f17de6ab97097b0b3158

    • SHA512

      ef50cf65924f39bcd62248fabefd58d68e0f8fa73ee4879f1a62bae8107b0c7d620de6f9d76b74bde5fde73400061c97a6f469389aa953e3a6c10f5cccfb0911

    • Detected Xorist Ransomware

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Windows security modification

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

4
T1112

Scripting

1
T1064

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks