General

  • Target

    434d39bfbcee378ed62a02aa40acc6507aa00b2a3cb0bf356c0b23cc9eebcd77

  • Size

    2.0MB

  • Sample

    220228-dsz57sdab8

  • MD5

    df45ee66dd410b491e3e01c8880f6966

  • SHA1

    e4fec41a80337c87acc8f67864047aba34690bb4

  • SHA256

    434d39bfbcee378ed62a02aa40acc6507aa00b2a3cb0bf356c0b23cc9eebcd77

  • SHA512

    b9b5bfebbeda3f4e75588a3fd35c4099e7acc02b579070066d0bcc8e107e4069b7c24cbe1c7214e5224f70030465cdebaf01e40f74a1ebeb0b8e20d3c2f89445

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://buking.site/soft/08042021.exe

Targets

    • Target

      NewCovid-21/08042021.exe

    • Size

      598KB

    • MD5

      e4855693722de3856421b1b6920ba54d

    • SHA1

      9c50313f3b6d84a2b063d0acca64417bfe283d6d

    • SHA256

      0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe

    • SHA512

      5373fc8ac2839520492ac6fa03758ad9781c7a840b9091dba4e3b0f197519e7343de434f2e10ff55e85be8eea1f6f425e4b2f6a343b374852011c02ad70fbba5

    • OutSteel

      OutSteel is a file uploader and document stealer written in AutoIT.

    • OutSteel batch script

      Detects batch script dropped by OutSteel

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Target

      NewCovid-21/GEO-CFUND-2009_CCM Agreement_Facesheet - signed.pdf

    • Size

      1.2MB

    • MD5

      c326ba10fb458ca8b17a12047664ba61

    • SHA1

      897439fae9312219b87e6b62d0d7d0bcdf419eff

    • SHA256

      bbab12dc486b1c6fcf9e343ec1474d0f8967de988444d7f838f1b4dcab343e8a

    • SHA512

      d647695b7bfc10d8c94af873506cb02c51ecdf672f151b175a3b42f78138fa401824b7a4f813d400acb35dbbc365968261282718672bc25d30040cf8e2e61941

    Score
    1/10
    • Target

      NewCovid-21/New Folder.lnk

    • Size

      1KB

    • MD5

      aa3e4c243b101ed6c92b38fe8670a724

    • SHA1

      b85ef90888d2169252af104e809726e92aa518ef

    • SHA256

      172f12c692611e928e4ea42b883b90147888b54a8fb858fc97140b82eef409f3

    • SHA512

      cecb656b59170bb1e67e50f38f2b2b4753b8b63ec0633604c40018ccbe45b25c69828e0d3909b8d946ac0d44e52a5a8604c0b0537a7baa9ed3e36c7df6d64d9a

    Score
    10/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      NewCovid-21/Statistic.doc

    • Size

      4.0MB

    • MD5

      44697aad796c0d82c1adbee15fd1266b

    • SHA1

      0349463deb6e3803c425fa7725f7dedaccc6e6aa

    • SHA256

      9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a

    • SHA512

      90cefab17ed24cc078a5cb71ae28b499e8583118566b2f59d6feae693d114468c292ecabdb7ddd7721a0a4c8e1af044513007e2804993b33e4eb18c0f7b83107

    Score
    8/10
    • Blocklisted process makes network request

MITRE ATT&CK Enterprise v6

Tasks