Overview

overview

10

Static

static

3

be05c5bc_7...69.exe

windows7-x64

7

be05c5bc_7...69.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    be05c5bc_75774b1adf09d7375f2cc83bb9ff6f6ecee4f09acabbbbcb799f184e80358269.exe

  • Size

    288KB

  • Sample

    230522-np1mnsgb49

  • MD5

    be05c5bc5f62f2db1bdbea191e5b1062

  • SHA1

    76823ab85844634b98ea1203340c63bf8acf5d70

  • SHA256

    75774b1adf09d7375f2cc83bb9ff6f6ecee4f09acabbbbcb799f184e80358269

  • SHA512

    4dc05ddb96c73406a50d4a5381b23294e945286d46a31aa4cafb6b5eb9e1a60d99e9f5214e9be794ddb690cbbb32854c4c036a58b21a9e51a729483eeeeaf2b8

  • SSDEEP

    6144:smDAURUZ2xUYjtUGGJHm8Ul/lxWHwNdjY99l1bqm4DkGI9cL1kBeBGGGJzm8Ul/v:zeVYKJDA2Hsc9l1bqG3BfJXA

Score
10/10
persistencepyinstallerspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://discord.com/api/webhooks/1108039493635821588/yYZ5XU6SGSgPdcnjO8lH8_jzgvQLfuur4uVq4Q2xzBWVRhYWiSoWh5Ei-dN0mPa_yB_j

Targets

    • Target

      be05c5bc_75774b1adf09d7375f2cc83bb9ff6f6ecee4f09acabbbbcb799f184e80358269.exe

    • Size

      288KB

    • MD5

      be05c5bc5f62f2db1bdbea191e5b1062

    • SHA1

      76823ab85844634b98ea1203340c63bf8acf5d70

    • SHA256

      75774b1adf09d7375f2cc83bb9ff6f6ecee4f09acabbbbcb799f184e80358269

    • SHA512

      4dc05ddb96c73406a50d4a5381b23294e945286d46a31aa4cafb6b5eb9e1a60d99e9f5214e9be794ddb690cbbb32854c4c036a58b21a9e51a729483eeeeaf2b8

    • SSDEEP

      6144:smDAURUZ2xUYjtUGGJHm8Ul/lxWHwNdjY99l1bqm4DkGI9cL1kBeBGGGJzm8Ul/v:zeVYKJDA2Hsc9l1bqG3BfJXA

    Score
    10/10
    persistencepyinstallerspywarestealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks