Overview

overview

10

Static

static

db64e72464...73.exe

windows7-x64

10

db64e72464...73.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    db64e72464fd9ef07542fbee1e6d078b10f83576a16c3d2152ecdf86941d3573

  • Size

    6.0MB

  • Sample

    221204-jl6masdf3z

  • MD5

    964624aa3e3ddaa872bdf4675d32a9e2

  • SHA1

    677241dfaa8836a1a46b6b2fd586440be8fbae57

  • SHA256

    db64e72464fd9ef07542fbee1e6d078b10f83576a16c3d2152ecdf86941d3573

  • SHA512

    870e12ba1866dcd2ffb702c688b843be51b61996fbc918959164706056e77451a007e751d28d631d68a38cdf79f492699708883fdd93ef4282f2b97b50aa3b21

  • SSDEEP

    98304:5rFcMe2yH+ayUM1miGmHuzvl+TlIJKZlIefRTzpPB0NY/ajSmdVwCFn:tKMet+at4miGmHpTSJYXtzpPBJ/ajXB

Score
10/10
spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    demonzun

Targets

    • Target

      db64e72464fd9ef07542fbee1e6d078b10f83576a16c3d2152ecdf86941d3573

    • Size

      6.0MB

    • MD5

      964624aa3e3ddaa872bdf4675d32a9e2

    • SHA1

      677241dfaa8836a1a46b6b2fd586440be8fbae57

    • SHA256

      db64e72464fd9ef07542fbee1e6d078b10f83576a16c3d2152ecdf86941d3573

    • SHA512

      870e12ba1866dcd2ffb702c688b843be51b61996fbc918959164706056e77451a007e751d28d631d68a38cdf79f492699708883fdd93ef4282f2b97b50aa3b21

    • SSDEEP

      98304:5rFcMe2yH+ayUM1miGmHuzvl+TlIJKZlIefRTzpPB0NY/ajSmdVwCFn:tKMet+at4miGmHpTSJYXtzpPBJ/ajXB

    Score
    10/10
    spywarestealer

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks