b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1 | Triage

Submit
Reports

Overview

overview

9

Static

static

b3d47cda8a...f1.exe

windows7-x64

8

b3d47cda8a...f1.exe

windows10-2004-x64

9

Sharing

General

Target

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1
Size

4.6MB
Sample

221125-kfrrmahc9z
MD5

482583be2d17b24c0c065c361d6d454c
SHA1

958c9021cbc65261127393179ded8ba1eed5c414
SHA256

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1
SHA512

32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3
SSDEEP

98304:eLtkZmzpySeQlbyuvoBYU8XlpTmCoFyCMPYT+HrB:eLygV8NieYrX3mCoFl6MkB

Score

9^/10

bootkit evasion persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

Resource

win7-20221111-en

bootkit persistence spyware stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

Resource

win10v2004-20221111-en

bootkit evasion persistence spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1
- Size
  
  4.6MB
- MD5
  
  482583be2d17b24c0c065c361d6d454c
- SHA1
  
  958c9021cbc65261127393179ded8ba1eed5c414
- SHA256
  
  b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1
- SHA512
  
  32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3
- SSDEEP
  
  98304:eLtkZmzpySeQlbyuvoBYU8XlpTmCoFyCMPYT+HrB:eLygV8NieYrX3mCoFl6MkB
Score

9^/10

bootkit persistence spyware stealer evasion trojan
- Nirsoft
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitpersistencespywarestealer

behavioral2

bootkitevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy