General

  • Target

    s.exe

  • Size

    8KB

  • Sample

    220120-k6zvxshce4

  • MD5

    9117ec9c09a548e549b5a85431d621ae

  • SHA1

    d7bf8b631eb814a0d41318fe3d97c45264739e19

  • SHA256

    5beb552d751f5866dece29a1a6d17ed03f71870161b8d6d07882883359da6e3f

  • SHA512

    2f4b71e44a979f2d343f76af85868740608178a4c21f0e87ec63f0f9077517c8894db85ec4f6084980e061ce8eeef011decf31cb7f9d0d636c0c34d43aa9d59b

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    mnayarhaytham2022@gmail.com
  • Password:
    mayarhaytham0106214438

Targets

    • Target

      s.exe

    • Size

      8KB

    • MD5

      9117ec9c09a548e549b5a85431d621ae

    • SHA1

      d7bf8b631eb814a0d41318fe3d97c45264739e19

    • SHA256

      5beb552d751f5866dece29a1a6d17ed03f71870161b8d6d07882883359da6e3f

    • SHA512

      2f4b71e44a979f2d343f76af85868740608178a4c21f0e87ec63f0f9077517c8894db85ec4f6084980e061ce8eeef011decf31cb7f9d0d636c0c34d43aa9d59b

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Nirsoft

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks