General

  • Target

    3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba

  • Size

    2.4MB

  • Sample

    210228-ls7as1pp36

  • MD5

    d394d11206884455bd32758865419a73

  • SHA1

    db6f83bf7fd8f386af36e7dec78d92dd66d38a31

  • SHA256

    3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba

  • SHA512

    19295ea770e99c172f011b62e6cd40c27a035676dcbfb19d30febe7fc5960de9abfb9769c3363e494d5986bcddbf71aa9b88acce40cb5a081181a14c924fb73a

Malware Config

Targets

    • Target

      3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba

    • Size

      2.4MB

    • MD5

      d394d11206884455bd32758865419a73

    • SHA1

      db6f83bf7fd8f386af36e7dec78d92dd66d38a31

    • SHA256

      3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba

    • SHA512

      19295ea770e99c172f011b62e6cd40c27a035676dcbfb19d30febe7fc5960de9abfb9769c3363e494d5986bcddbf71aa9b88acce40cb5a081181a14c924fb73a

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks