General

  • Target

    547612a9ff746063a74c71b009230500.exe

  • Size

    112KB

  • Sample

    210926-r7k7gsfab6

  • MD5

    547612a9ff746063a74c71b009230500

  • SHA1

    c04b0adc612addc701e3a0336a4e8a23fbd331c4

  • SHA256

    bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a

  • SHA512

    545b74192e076e46a960a05e5281dedfd00c7fc002aeec60f04f55543eb79beaa2866ab20e16903e2d1601275e28be73fa0a5ef5abe23fd2e13c38805cdd9402

Malware Config

Targets

    • Target

      547612a9ff746063a74c71b009230500.exe

    • Size

      112KB

    • MD5

      547612a9ff746063a74c71b009230500

    • SHA1

      c04b0adc612addc701e3a0336a4e8a23fbd331c4

    • SHA256

      bf99b231b81ab2ba895c0cbf395a5fdb5fc18d3465592150e365f31302c8250a

    • SHA512

      545b74192e076e46a960a05e5281dedfd00c7fc002aeec60f04f55543eb79beaa2866ab20e16903e2d1601275e28be73fa0a5ef5abe23fd2e13c38805cdd9402

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks