Overview

overview

10

Static

static

Fattoruso ...FQ.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Fattoruso Tech Srl RFQ.zip

  • Size

    441KB

  • Sample

    220930-qqyktaeegj

  • MD5

    8c0a772ecf8d1068df9328c63bd54021

  • SHA1

    e354ef8e127848514518c3d37d3c677562810022

  • SHA256

    33c3a1918527945f7d2ede01a423b626a051ccfcbd8a6479f340af0fe34752bd

  • SHA512

    21f0e275ece24b2424b075d0eae7aa5b1b530cb806326189e88f764966080349f5becbfccc001607faea3526890f5c410925b9790e5ca762826265b6fa9fc854

  • SSDEEP

    12288:nIwsVwwLfZy9ITqJguNqIdRqv3iUd+ZCBNVrWbPkdh:nbsaOZX2J1OqU8ZCNruKh

Score
10/10
collectionspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.lizaneya.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    @lizaneya.com

Targets

    • Target

      Fattoruso Tech Srl RFQ.exe

    • Size

      620KB

    • MD5

      260f6e729e919bef46b9fde9584e62cf

    • SHA1

      f9861fe9d82a7d8ac405b6a4adf8ebae60133692

    • SHA256

      021a0fc05ac41240f0388f147781324d51e1a31ce772a628d7ad9705aad3a8d4

    • SHA512

      6fd3caf7b08706ee8e24c60caf5d90d5a49091ebf362222fbdf4a40d8f20f0f658be318f67ca1f559ac9f5e56e5bfffff395e7b3f3f826a48d4f393016edadd6

    • SSDEEP

      12288:HToPWBv/cpGrU3yx3meidRqvZuyd+ZgBNV9W3PkdE:HTbBv5rUKm20y8ZgN94KE

    Score
    10/10
    collectionspywarestealer

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks