General

  • Target

    Prisons Image Logger V3.exe

  • Size

    4.6MB

  • Sample

    220705-2kqtkafgc5

  • MD5

    b801595020682f928059f7a5576368f7

  • SHA1

    a5638bcf0497a4908860d466cf2a602ea61687af

  • SHA256

    ff3382577340e48ef4863491df18f1969d9d2336e6fee1525b62d664c185d94a

  • SHA512

    5bb0db22e7d243935d178ef7f7f710c7693089ae840ae65d31f6cb23634ce2ec852fbd076dd9bf75f8b148b66e21a87c82798f95904ee58fdcb44acbc3036d4a

Malware Config

Targets

    • Target

      Prisons Image Logger V3.exe

    • Size

      4.6MB

    • MD5

      b801595020682f928059f7a5576368f7

    • SHA1

      a5638bcf0497a4908860d466cf2a602ea61687af

    • SHA256

      ff3382577340e48ef4863491df18f1969d9d2336e6fee1525b62d664c185d94a

    • SHA512

      5bb0db22e7d243935d178ef7f7f710c7693089ae840ae65d31f6cb23634ce2ec852fbd076dd9bf75f8b148b66e21a87c82798f95904ee58fdcb44acbc3036d4a

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

2
T1031

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks