General

  • Target

    0539f85f58cbdfbd5402f02bef84c1ed425122cc95f34c38719d9059343350b6

  • Size

    817KB

  • Sample

    220316-lfmcksbge6

  • MD5

    55de296cf36210a101903ad018edddbc

  • SHA1

    30857c9cf63be230ed01ad34995b85108f2c9eb9

  • SHA256

    0539f85f58cbdfbd5402f02bef84c1ed425122cc95f34c38719d9059343350b6

  • SHA512

    875f0bc9d1ce36a592c9f2211d002919f89f5b9eb8e88ca74a820f6cfdbb56e4ad7e94504db2061f5141e8452118e01c7c8007321299c92543af4a0f9be6d730

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.dlink.md
  • Port:
    587
  • Username:
    linkview@dlink.md
  • Password:
    Freemind2k3

Targets

    • Target

      0539f85f58cbdfbd5402f02bef84c1ed425122cc95f34c38719d9059343350b6

    • Size

      817KB

    • MD5

      55de296cf36210a101903ad018edddbc

    • SHA1

      30857c9cf63be230ed01ad34995b85108f2c9eb9

    • SHA256

      0539f85f58cbdfbd5402f02bef84c1ed425122cc95f34c38719d9059343350b6

    • SHA512

      875f0bc9d1ce36a592c9f2211d002919f89f5b9eb8e88ca74a820f6cfdbb56e4ad7e94504db2061f5141e8452118e01c7c8007321299c92543af4a0f9be6d730

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks