General

  • Target

    IObit.Uninstaller.12.1.0.5 - XYZ.zip

  • Size

    33.5MB

  • Sample

    230303-2l36aabb8w

  • MD5

    11d64205a70b973b3a21b644c33d8d1c

  • SHA1

    c38e54f40c8f5875e94be63580e33900237a9518

  • SHA256

    93f99bf6ce947e342f87ee449f20c7848b039c93de44bcdee037e99d9ae69ec8

  • SHA512

    af2271066348701ecab44acf52739eda5697f58bccdc48e92be7241848e15192dbd2c0cc98ec20b4afa9acc02129f1dc9d3781a40818c29d4f154653a88f28d4

  • SSDEEP

    786432:bsZkC6L03M+t1MQ6HAAC4kCC/RAcrGXdal:bsZkC6I3M6VNAmJDGXdm

Malware Config

Targets

    • Target

      version.dll

    • Size

      5.3MB

    • MD5

      cc165af6a6e4978c66a86b25cf58b92b

    • SHA1

      3767e079d784c5a2b5088de7c172da1c1bf63daf

    • SHA256

      4e12ff9a72b7c2357f46ef645400cb6311330ced73ee787244c85ba7c57e8c8e

    • SHA512

      29ed9563b901b818e69b17861ed55c8e0866f535ead9e1e67926ccaf587bbf00270b088111627a56795f1aff2ba9fab6c01407fa436cea81163e2db958304623

    • SSDEEP

      98304:pCS1O1pjm2VjLI8YKriL2KOwQ6XF5kgNEbiB/n+SWvVO6aNKJkaSjc7:8gO1kmjZY0aQoaY+iIM2kK7

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      IObit.Uninstaller.12.1.0.5 - XYZ/Descarga.xyz  Apk, Software , Pelculas, Full, Cracks, Seriales.URL

    • Size

      231B

    • MD5

      73b950de60d1dbf3c727e9d2215595ea

    • SHA1

      0d2f60fd07b725b9fdb1df10f6a78ef63f03d429

    • SHA256

      76e23e1d82a41bf249aa4440a2beaaaabdffcb56b6bf8ccfaca05af880eafe9b

    • SHA512

      5be16012a07a9165ad4f3c3d6fbc9c44dc1ff6722cb472ea8ea9768336aabd8389ff65e95daf03b4f75b865782f46828757f6e6afed7cdff5fd37bb8b385d749

    Score
    1/10
    • Target

      IObit.Uninstaller.12.1.0.5 - XYZ/iobituninstaller.exe

    • Size

      27.8MB

    • MD5

      ca16a886519d06b1fa8605317e0974ab

    • SHA1

      4b3d9ce72f602c69c1609825c80aeb201785c60e

    • SHA256

      3c64c3cad3a672f59c8dcd51fb0eba76669f3a08866336825c14409a91257894

    • SHA512

      3f61b981603a0a21b757d97ef5d729cc466d209527034b541baabd95f9350a9143ff717fdbef157735e8161019ca1b6b5094bf63cf8f27e10d9aa326f781d766

    • SSDEEP

      393216:uhqRX2+Q+t83Pj+lmP/00rjcfBwr93r5Ermhdc1ihMPGn8eAAAHuRUWatgTmEVHi:uhqh2+ptQvKaY4Mk8YuujAg5VH5eR

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks