Overview

overview

8

Static

static

R6d-Executor.exe

windows7_x64

8

R6d-Executor.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    R6d-Executor.exe

  • Size

    4.3MB

  • Sample

    211203-mbwwwsbah3

  • MD5

    61fbb17638965822d5552e9b7f535eb6

  • SHA1

    5faeb34f345e6740ffeda29a5cf9db434f366b84

  • SHA256

    4a177eb13e5340bfa7fc424bf44b09100b734cfef981821c886dfa10f60f5643

  • SHA512

    2793e34e44b4d7ee226f16570fd0acb75e35cd7546652d8a5f79d765f14da7b9e9d64caf8fa183797aa31562dd3661602b712c749a190abe0d6ddbb8829c300f

Score
8/10
persistencespywarestealerupx

Malware Config

Targets

    • Target

      R6d-Executor.exe

    • Size

      4.3MB

    • MD5

      61fbb17638965822d5552e9b7f535eb6

    • SHA1

      5faeb34f345e6740ffeda29a5cf9db434f366b84

    • SHA256

      4a177eb13e5340bfa7fc424bf44b09100b734cfef981821c886dfa10f60f5643

    • SHA512

      2793e34e44b4d7ee226f16570fd0acb75e35cd7546652d8a5f79d765f14da7b9e9d64caf8fa183797aa31562dd3661602b712c749a190abe0d6ddbb8829c300f

    Score
    8/10
    persistencespywarestealerupx

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks