General

  • Target

    PO-5042.scr

  • Size

    1.5MB

  • Sample

    210113-gkzased3fx

  • MD5

    f502ba6dcaa52430ff540dbdef13c40b

  • SHA1

    b697dbbac2192c5416648413f0639e9da4763c9a

  • SHA256

    b1251d0a542cd96f6957904d30289cbf675035ae79ac4158fc098aa84cd22506

  • SHA512

    b8d1a484012238d7a0d49bbe2077231b2bc39cd0581bc8e41b8e24ff2fcc39580ed8cecafea2570acf1df9d3ee1eb713415c80d1af1735fc029fe696b19d5d81

Score
8/10

Malware Config

Targets

    • Target

      PO-5042.scr

    • Size

      1.5MB

    • MD5

      f502ba6dcaa52430ff540dbdef13c40b

    • SHA1

      b697dbbac2192c5416648413f0639e9da4763c9a

    • SHA256

      b1251d0a542cd96f6957904d30289cbf675035ae79ac4158fc098aa84cd22506

    • SHA512

      b8d1a484012238d7a0d49bbe2077231b2bc39cd0581bc8e41b8e24ff2fcc39580ed8cecafea2570acf1df9d3ee1eb713415c80d1af1735fc029fe696b19d5d81

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks