Overview

overview

10

Static

static

URLScan

urlscan

1

https://google.com

windows10-2004_x64

10

Resubmissions

21-08-2022 14:53

220821-r9e39aahej 8

20-08-2022 19:34

220820-yajeysada3 8

18-08-2022 19:56

220818-ynvp5seac3 8

14-08-2022 21:38

220814-1hgbnsddf5 8

18-07-2022 04:40

220718-fajfvaafdl 1

18-07-2022 04:26

220718-e2lvlsaegj 8

16-07-2022 04:29

220716-e4rtmsgeg3 8

16-07-2022 03:58

220716-ejzczsgde2 8

11-07-2022 19:19

220711-x1h2facabn 10

10-07-2022 23:55

220710-3yffesdfan 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://google.com

  • Sample

    220711-x1h2facabn

Score
10/10
discoveryevasionpersistencespywarestealersuricatatrojanupx

Malware Config

Targets

    • Target

      https://google.com

    Score
    10/10
    discoveryevasionpersistencespywarestealersuricatatrojanupx

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

1
T1050

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

New Service

1
T1050

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

7
T1082

Security Software Discovery

1
T1063

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks