General
-
Target
lufdgThK9EuYSwgOb6xdwvcF.bin.zip
-
Size
5.9MB
-
Sample
210224-vaaheq6f3j
-
MD5
d9931d87184cc551a753025d3323570a
-
SHA1
ed2c83a3dfd36070a9c278d89f2d14fc927c0af7
-
SHA256
da3955c8a84533b421a22f286e8f362179fa37ac60348d1312516a94b08e5d8b
-
SHA512
8608dc8e4dfddbac73175ae4f7844238ea62c50d8f8124ee7b2eaeb04e785506fca0b5028c9f49b4a06dc879f684d476bf7994b008921644bed7072c45413883
Static task
static1
Behavioral task
behavioral1
Sample
lufdgThK9EuYSwgOb6xdwvcF.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
lufdgThK9EuYSwgOb6xdwvcF.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
lufdgThK9EuYSwgOb6xdwvcF.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
lufdgThK9EuYSwgOb6xdwvcF.bin.exe
Resource
win10v20201028
Malware Config
Targets
-
-
Target
lufdgThK9EuYSwgOb6xdwvcF.bin
-
Size
6.0MB
-
MD5
f5cca3aa7de2478569d38c765654267d
-
SHA1
7dfd05dd62788dd43289e2032f00006789e71311
-
SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5
-
SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-