Overview

overview

10

Static

static

8

d050948cba...49.exe

windows7_x64

10

d050948cba...49.exe

windows10_x64

10

Resubmissions

14/11/2023, 02:31

231114-czqpnsgf24 7

18/10/2021, 09:35

211018-lkfqlaecbl 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d050948cba26749ca0ae38c401cae549

  • Size

    4.2MB

  • Sample

    211018-lkfqlaecbl

  • MD5

    d050948cba26749ca0ae38c401cae549

  • SHA1

    91a3471081352093d319e97abf787ecd7ecbd2d3

  • SHA256

    ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091

  • SHA512

    ae545ba87d59ef7884da495b8004c0b266e5193511305699bd4b9cbd328a3c4f41f64d943e9def1404ca1323089c027026b632d31f33b995e45b6bff0e65d271

Score
10/10
discoveryevasionpersistencespywarestealersuricatavmprotect

Malware Config

Targets

    • Target

      d050948cba26749ca0ae38c401cae549

    • Size

      4.2MB

    • MD5

      d050948cba26749ca0ae38c401cae549

    • SHA1

      91a3471081352093d319e97abf787ecd7ecbd2d3

    • SHA256

      ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091

    • SHA512

      ae545ba87d59ef7884da495b8004c0b266e5193511305699bd4b9cbd328a3c4f41f64d943e9def1404ca1323089c027026b632d31f33b995e45b6bff0e65d271

    Score
    10/10
    discoverypersistencespywarestealersuricatavmprotectevasion

    • suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata: ET MALWARE Generic .bin download from Dotted Quad

      suricata

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

      suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad

      suricata

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks