General

  • Target

    a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf

  • Size

    6.3MB

  • Sample

    220205-es647agbd7

  • MD5

    3d6bc54a4568633a3cfe8603664f288c

  • SHA1

    aa7d7e2b2cbc9f8cd3b76154885271d7b816d8d5

  • SHA256

    a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf

  • SHA512

    5b39d953d5f7a09e3497229e3b7c60ce9af5d89230ba083d8c9c48054bd312e53fb3544d3d575b48322f279f4d9d8cb18d58852366d1ab72943a264e2b7cce7a

Malware Config

Targets

    • Target

      a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf

    • Size

      6.3MB

    • MD5

      3d6bc54a4568633a3cfe8603664f288c

    • SHA1

      aa7d7e2b2cbc9f8cd3b76154885271d7b816d8d5

    • SHA256

      a4b34400dec8c5075191b99a2d759958f2684076ccd11ac5f014f920378edfbf

    • SHA512

      5b39d953d5f7a09e3497229e3b7c60ce9af5d89230ba083d8c9c48054bd312e53fb3544d3d575b48322f279f4d9d8cb18d58852366d1ab72943a264e2b7cce7a

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks