General

  • Target

    ef9029e808dfd848d69f22259d632f67.exe

  • Size

    3MB

  • Sample

    220906-nyfnvsccf7

  • MD5

    ef9029e808dfd848d69f22259d632f67

  • SHA1

    865aad7739c3e98c9467b407fa031d5694baccf5

  • SHA256

    a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d

  • SHA512

    535fb3b98f1090a95be517a73b1d7be61b35b196fa7216e5326e68103380990068c0201b3320822275bea0c2ebd3fffb8154589e83be4ccfcd51b015266be493

  • SSDEEP

    98304:3zg8EJGNcbiELH0k6inOMhtACfUqe2EhgQJg:3zgANcbiED0finOytnq5hgM

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

+79889916188

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

Targets

    • Target

      ef9029e808dfd848d69f22259d632f67.exe

    • Size

      3MB

    • MD5

      ef9029e808dfd848d69f22259d632f67

    • SHA1

      865aad7739c3e98c9467b407fa031d5694baccf5

    • SHA256

      a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d

    • SHA512

      535fb3b98f1090a95be517a73b1d7be61b35b196fa7216e5326e68103380990068c0201b3320822275bea0c2ebd3fffb8154589e83be4ccfcd51b015266be493

    • SSDEEP

      98304:3zg8EJGNcbiELH0k6inOMhtACfUqe2EhgQJg:3zgANcbiED0finOytnq5hgM

    • Allcome

      A clipbanker that supports stealing different cryptocurrency wallets and payment forms.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Tasks