6d5562256840a1856dd4e60b20f2d0a0edf8a0c18dbd779ffb501c209385ba9d | Triage

Sharing

General

Target

notificacao.zip
Size

28.9MB
Sample

230207-ckwblsha59
MD5

c2766d4a4f4d3f129c452838abef4f33
SHA1

878ee830651510030b68208340cc1c98774041e9
SHA256

6d5562256840a1856dd4e60b20f2d0a0edf8a0c18dbd779ffb501c209385ba9d
SHA512

b97299ebc5b5d386de73fffc74f978d1bfd9538e91d03ba1c7aaea851e9fa19750775684bc5f3cb7e5864fe9e3d3e775835c878e7a094bf6a124511062bb4f57
SSDEEP

786432:ZDwpcw8mLTUPe6WOwGeCjn+di0wK/+QC2g:dwpcVAoPBtwGTqdxwKU

Score

8^/10

evasion persistence trojan

Malware Config

Targets

- Target
  
  CmdLine.exe
- Size
  
  440KB
- MD5
  
  0bfe3087ca4ef73b868518af6caa4e6d
- SHA1
  
  af3fa5233a6dd4eb1bbd727175f7a5845323076c
- SHA256
  
  1beb42edf12f007c47b403049d10afbbf4db637d7053244c1b6972ea53847b76
- SHA512
  
  3e66dc57dc48699c118dd309c188760ef48e918da6c9aebd9073abe5f832857e82ce15b8104643c13d5b29397151f2e77fff5a8c5e6a9532b3bc1fe507a128d3
- SSDEEP
  
  6144:dvGW7g487Zp/O22OHe3vqt7+ScIk8taZuuzI9ujmOO6JFcJiWgd+4xN:dv3gJZ2OQvqt7+ScJ8tGuf9fv6JGJxq
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Common.dll
- Size
  
  897KB
- MD5
  
  40fd316520f0573077aacb60aff0fbc6
- SHA1
  
  4b1e23ba91a049fdc4c97caebc57cac15cb3e9b0
- SHA256
  
  0d757ca61be427e699d570364fdd5ec6f5fbeb7654dc67b34bb4b46c69466de5
- SHA512
  
  c5cad12ed7b9fc4b6af099a973438e07c0a994084cad893d34eadcc186559560d728a663054c9cfc49864fa52f88d38428088baae853fd887169be46bee8524c
- SSDEEP
  
  12288:E6CK1dk6NxNlea9vVBpKZZhYQ6hH6YcSoaZbVAIaJNO:J1d3NlxvVBkOQ6huSoaZbiS
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  DropBoxExe.exe
- Size
  
  107KB
- MD5
  
  a99079293307d2192a6e90e297e535ac
- SHA1
  
  13428dc44c2ecfac6046e7b04e361194d7de35bd
- SHA256
  
  128617558adca5aa6ecc2b858a188e44695103f48af936526e4c5d3e812851cc
- SHA512
  
  1d5e3c7e87988db0111e88fa1f1ae7542fb96b48d3f9ccf1f34389a7f297b666fcc52d353c1b9351bdfcf367f449368363dc662257e39e072c3554fd139066bc
- SSDEEP
  
  3072:4YOizsnLkHLgCJXjI5BYtZYaXDOYlvvvvVznRm/+:4YOAsnug0X4BYtZYaXDOY
Score

1^/10
behavioral5 behavioral6
- Target
  
  StarBurn.dll
- Size
  
  573KB
- MD5
  
  e86403ff6f01f2b50b9f95d8e536fbf1
- SHA1
  
  0546658f5e4ac1c0b8035dc9da5f0e389e79e38f
- SHA256
  
  34d51ea931e6b9de88b55f3d9f6921fbddaa40acb888e692f66f7e77c2b6f676
- SHA512
  
  4c8ffa89c8f40b9749db013a937cc6067c46e8698ff9dbadb9371ebe792d664e08e46e26d33e0833fdd037a947eed2683d1f51d619f8dd28d7f118345d6f308f
- SSDEEP
  
  6144:pO/y/giMzI+IOyLwjiwjD2S+HGN6TWjSp8Kl9xjp4cfSuHwQBGp88MRUssCR9CDR:Z/gzbn+GgTWjg8S4cfSn8GpsCD0FTQ
Score

3^/10
behavioral7 behavioral8
- Target
  
  StuffIt14.url
- Size
  
  48B
- MD5
  
  61892cf7d9596385f03af436a015b567
- SHA1
  
  5698a18a62a5178e0f34923d850f44644a28448c
- SHA256
  
  ea5f6725e5d61387e8da61e063a9b7baaf83b4e1d9d311ac0ea845e31c93756a
- SHA512
  
  9b4ba12f6f79f2cc47fdba6e12b0f1b72016d1f93685abc3ec54c72c030485be45470ead9b328adf84d4ce893b1072a582986a6ba4c30aaa6c38d27ff2e8a597
Score

8^/10

persistence evasion trojan
- Downloads MZ/PE file
- Sets file execution options in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral10 behavioral9
- Target
  
  StuffItConnect.dll
- Size
  
  81KB
- MD5
  
  9f499cb83be4c828383e70b8b94a6479
- SHA1
  
  915a055b761e713d144edc7b7b94d8783f28d485
- SHA256
  
  a059228a9c6e656877adbb8d764523a02634ec8c95a8057c059b414e2a4c14e1
- SHA512
  
  4b6849f7e2f094f2d208f3dad823a86288970d500a827d31addd6eb81674d2e6be6ad1e75e488ad9b61c08db5d9351188e00d09363fc695e2f8534746a6bbbcc
- SSDEEP
  
  1536:EGmRhB/Qrnkz929g/QIZjvjfVJouxULhcLFV5IKebW9sG0OKU20Wz8MJH:pmRSAlBohcLFV5IKea9s1OKqWz8
Score

3^/10
behavioral11 behavioral12
- Target
  
  StuffItEngine.dll
- Size
  
  1012.9MB
- MD5
  
  ef2868fe1076f5b46db73953886ccd31
- SHA1
  
  9cd52d848938fe8059caf5bc34cd8be9b13db9fe
- SHA256
  
  2ec8631abe9bc1900ca64b997c53e861b04ec1a67fbef3778fe1f46ff125b98d
- SHA512
  
  aa61d2b84cc833a6862a0cb24e911bed0728a1d6e57b810658181105462deb63d00061c53dae9706ba9c139ff801279a8dc2a5011cc01f730b0f30b09fd55a70
- SSDEEP
  
  393216:n4wsmYMOqC+tpqrfr2ialtyZqmCB46NwtU5a8Ri36puC3e/cN+:4w8DbfrwYAjBstUa8U36oCOh
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14