Resubmissions

09-03-2023 20:22

230309-y5ltkaab42 10

General

  • Target

    EaseUS Partition Master Activator.exe

  • Size

    2.2MB

  • Sample

    230309-y5ltkaab42

  • MD5

    1fb1048f4896328ee4e6da176c94a5df

  • SHA1

    5775e2918e3850bd54c31a017dfc06e4fd847038

  • SHA256

    b1be91e9a72f94064ebe43fa46a4a8ced18c79d7a9e568c5402a0b527c65f1d2

  • SHA512

    9b755b32222bbdeb1870768659c2d0d09dd3d5c70c82486e695079420cd54e1194859f60647c763186077a95466af3f5830c0c0f10de0953e4e200865fd6c101

  • SSDEEP

    49152:dJ4gV9CC+ABH/dfBrDjLSQCKp88CYpQeRRgTH/dvDDJrCG:dJ48+8HVfBrf/3p1DlkHt/Bp

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      EaseUS Partition Master Activator.exe

    • Size

      2.2MB

    • MD5

      1fb1048f4896328ee4e6da176c94a5df

    • SHA1

      5775e2918e3850bd54c31a017dfc06e4fd847038

    • SHA256

      b1be91e9a72f94064ebe43fa46a4a8ced18c79d7a9e568c5402a0b527c65f1d2

    • SHA512

      9b755b32222bbdeb1870768659c2d0d09dd3d5c70c82486e695079420cd54e1194859f60647c763186077a95466af3f5830c0c0f10de0953e4e200865fd6c101

    • SSDEEP

      49152:dJ4gV9CC+ABH/dfBrDjLSQCKp88CYpQeRRgTH/dvDDJrCG:dJ48+8HVfBrf/3p1DlkHt/Bp

    • Detects PseudoManuscrypt payload

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks