General

  • Target

    Demande de devis (Universite Paris Cite 2307E.exe

  • Size

    1.0MB

  • Sample

    230711-mn2ynsgc97

  • MD5

    109ec28e5ea4e77ece61fa9538cac09f

  • SHA1

    d6ee1eacf73e2f4610225cef20f9002e7696ad3a

  • SHA256

    9280d62d63789270382bb87f5f200b05b32c1908cabbc5215f62f843b287b42f

  • SHA512

    2ee253a0f40fb093abcc95603212502bd4ac553a5ea57fee429aaaa0379a70d752e374d1425d9965ddfcf87028e6c717225a3efef07d2892ab28a46ba164a50a

  • SSDEEP

    24576:whlXrM2sDMG2bTj4+4oNcaOCU9ws73niSN8Q:GXYDMGyN/e5vws733R

Malware Config

Targets

    • Target

      Demande de devis (Universite Paris Cite 2307E.exe

    • Size

      1.0MB

    • MD5

      109ec28e5ea4e77ece61fa9538cac09f

    • SHA1

      d6ee1eacf73e2f4610225cef20f9002e7696ad3a

    • SHA256

      9280d62d63789270382bb87f5f200b05b32c1908cabbc5215f62f843b287b42f

    • SHA512

      2ee253a0f40fb093abcc95603212502bd4ac553a5ea57fee429aaaa0379a70d752e374d1425d9965ddfcf87028e6c717225a3efef07d2892ab28a46ba164a50a

    • SSDEEP

      24576:whlXrM2sDMG2bTj4+4oNcaOCU9ws73niSN8Q:GXYDMGyN/e5vws733R

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks