General

  • Target

    DHL-Shipment-AWL-0010993954-pdf.exe

  • Size

    628KB

  • Sample

    230718-hcxscshe2s

  • MD5

    23b53c5a46edb96074fa72673a13b94f

  • SHA1

    2df91abe31779634ba2809a2ff1953b279214b70

  • SHA256

    c3b8c2966ebf82260e14bc0d95b2223dcdfef62c1e7fe0e92aafffa05e4b695f

  • SHA512

    9dcd0241ed926677f454452bfbc36e91ff87995762ce454688245c62e0b641207eb8e93d39223c33ee0600eb835cc6ec58c43a809b8a619ede3a36d78b65e52f

  • SSDEEP

    6144:oDX6o9FL7SV8ccs0KyrEtMGTLLzxB0TzvZxTNwfY4GXr2S/Pid2zk87bdW2+I7kW:D9LfcTzxfw1Arm+kUF+ek3e4lUbUq

Malware Config

Targets

    • Target

      DHL-Shipment-AWL-0010993954-pdf.exe

    • Size

      628KB

    • MD5

      23b53c5a46edb96074fa72673a13b94f

    • SHA1

      2df91abe31779634ba2809a2ff1953b279214b70

    • SHA256

      c3b8c2966ebf82260e14bc0d95b2223dcdfef62c1e7fe0e92aafffa05e4b695f

    • SHA512

      9dcd0241ed926677f454452bfbc36e91ff87995762ce454688245c62e0b641207eb8e93d39223c33ee0600eb835cc6ec58c43a809b8a619ede3a36d78b65e52f

    • SSDEEP

      6144:oDX6o9FL7SV8ccs0KyrEtMGTLLzxB0TzvZxTNwfY4GXr2S/Pid2zk87bdW2+I7kW:D9LfcTzxfw1Arm+kUF+ek3e4lUbUq

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks