81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a | Triage

Sharing

General

Target

81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a
Size

227KB
Sample

221018-1pyvaseeaj
MD5

51e5a087d3ef2140a2b4b921cec3de42
SHA1

2b4bc51bc96cf3cbf50ffe03b5819fb812a34c19
SHA256

81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a
SHA512

9a23fe082db3896cc1a268fde0fefb16d495a563708171cb475afd4148f56877ee777bf2edf8bd9a9f630322d4bebd2be5518166c7d47a9d823f78a4498f4f1f
SSDEEP

3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRuq:ZR5IuMQoseGk7RZBGxAycKpSPX2Fq

Score

10^/10

evasion persistence spyware stealer

Malware Config

Targets

- Target
  
  81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a
- Size
  
  227KB
- MD5
  
  51e5a087d3ef2140a2b4b921cec3de42
- SHA1
  
  2b4bc51bc96cf3cbf50ffe03b5819fb812a34c19
- SHA256
  
  81afd25a71243d161133a5eed7100c93ea9035019b54d604b0b1b81052ee975a
- SHA512
  
  9a23fe082db3896cc1a268fde0fefb16d495a563708171cb475afd4148f56877ee777bf2edf8bd9a9f630322d4bebd2be5518166c7d47a9d823f78a4498f4f1f
- SSDEEP
  
  3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRmRuq:ZR5IuMQoseGk7RZBGxAycKpSPX2Fq
Score

10^/10

evasion persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Web Service

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencespywarestealer

behavioral2

evasionpersistencespywarestealer