General

  • Target

    Milieubeskyttelsesinteressernes.exe

  • Size

    289KB

  • Sample

    230223-nlp2rshe6x

  • MD5

    26155e96db9e26fa870f7be50c281d3c

  • SHA1

    0d62f6fd842197f855986da747fbae8c14d3ccf1

  • SHA256

    d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87

  • SHA512

    146af6b37c977e8d11ab2fe0217335c0a17e6380367a8ec66da17d2baa10dd2e62c24eb87aae8716d136efa08b6e7931c57a7cdd4b2fdac6540851e3e217e055

  • SSDEEP

    6144:LicFyL3iGmri24SPDtW9JHDff/g1++QPX8fp9bJZky:ePyaS5uJHTX14bJZ

Malware Config

Targets

    • Target

      Milieubeskyttelsesinteressernes.exe

    • Size

      289KB

    • MD5

      26155e96db9e26fa870f7be50c281d3c

    • SHA1

      0d62f6fd842197f855986da747fbae8c14d3ccf1

    • SHA256

      d8b0bc17d73b611e2ae4ac8addf6a90745af6107cfadffc7cc497a2db38afc87

    • SHA512

      146af6b37c977e8d11ab2fe0217335c0a17e6380367a8ec66da17d2baa10dd2e62c24eb87aae8716d136efa08b6e7931c57a7cdd4b2fdac6540851e3e217e055

    • SSDEEP

      6144:LicFyL3iGmri24SPDtW9JHDff/g1++QPX8fp9bJZky:ePyaS5uJHTX14bJZ

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks