352aa870af4367dbfbd69e97f933e7eb88fdbc2b9c6f06fc44550eb6cc3cce36 | Triage

Sharing

General

Target

352aa870af4367dbfbd69e97f933e7eb88fdbc2b9c6f06fc44550eb6cc3cce36
Size

1.6MB
Sample

220619-w9xqhsgfdr
MD5

dc3a81cc4f57944f8769d3af969c3a80
SHA1

b5985ce4c9d0edd85194082cc7fed320dc7fbaad
SHA256

352aa870af4367dbfbd69e97f933e7eb88fdbc2b9c6f06fc44550eb6cc3cce36
SHA512

ac661795dcc06e75d85d6903f2c67ca0c85cbf8ba566829ea3edb4e0e79bddbf10c5ddc9752f1998dc28ad48f2dc51b2c088f0ecde6d54650bffa861f0179b64

Score

6^/10

spyware stealer

Malware Config

Targets

- Target
  
  352aa870af4367dbfbd69e97f933e7eb88fdbc2b9c6f06fc44550eb6cc3cce36
- Size
  
  1.6MB
- MD5
  
  dc3a81cc4f57944f8769d3af969c3a80
- SHA1
  
  b5985ce4c9d0edd85194082cc7fed320dc7fbaad
- SHA256
  
  352aa870af4367dbfbd69e97f933e7eb88fdbc2b9c6f06fc44550eb6cc3cce36
- SHA512
  
  ac661795dcc06e75d85d6903f2c67ca0c85cbf8ba566829ea3edb4e0e79bddbf10c5ddc9752f1998dc28ad48f2dc51b2c088f0ecde6d54650bffa861f0179b64
Score

6^/10

spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Connection Proxy

Impact

Tasks

static1

behavioral1

behavioral2