7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9 | Triage

Sharing

General

Target

PO-75013.scr
Size

1.6MB
Sample

210113-e8ce7z11he
MD5

e7e6ee6ef97ff797562c91e0ff401ac4
SHA1

d1ec737c87a9c0a91456f1019106b77ee2e03980
SHA256

7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9
SHA512

1b84af0412dc0afbc19f894d2aec326f0f11c12dc9921ac817dab08415051f841b77aec5ed7bf5b53b0665e68b68ab53392ea731243a4630125fc158b3fd7743

Score

8^/10

persistence spyware

Malware Config

Targets

- Target
  
  PO-75013.scr
- Size
  
  1.6MB
- MD5
  
  e7e6ee6ef97ff797562c91e0ff401ac4
- SHA1
  
  d1ec737c87a9c0a91456f1019106b77ee2e03980
- SHA256
  
  7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9
- SHA512
  
  1b84af0412dc0afbc19f894d2aec326f0f11c12dc9921ac817dab08415051f841b77aec5ed7bf5b53b0665e68b68ab53392ea731243a4630125fc158b3fd7743
Score

8^/10

persistence spyware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistencespyware

behavioral2

persistencespyware