a44674bb518d90a3bfdf290d47f6c656a2b203cf5ee461f064ed84388051b623

Resubmissions

22/08/2023, 03:17

230822-dth83sbc8y 10

22/08/2023, 01:39

230822-b284csba4w 10

22/08/2023, 01:35

230822-bzrfjahd28 1

22/08/2023, 01:13

230822-bld82shc63 10

Sharing

Copy URL Twitter E-mail

General

Target

BrowserUpdate.zip
Size

1.7MB
Sample

230822-bld82shc63
MD5

f31f4c63bfc841e2ec965972643b2be4
SHA1

37a7637213e32d7bec80b5b65265d7811599be63
SHA256

a44674bb518d90a3bfdf290d47f6c656a2b203cf5ee461f064ed84388051b623
SHA512

9ffac6f5958f37fae6fb01c9d0e57982dad1778c62e76f830368d8442d55c6e126c9b4d5df20fb8acf760931f2279c441d49906dc4d642420585ec408d8a51d3
SSDEEP

49152:lU/QmIp7e6x8A0pvbWjcw7fjzY+AC2Z7BnjEvccD5CGUU:yQl7bOAeuLrHPx2BBjEboBU

Score

10^/10

spyware

Malware Config

Targets

- Target
  
  BrowserUpdate.zip
- Size
  
  1.7MB
- MD5
  
  f31f4c63bfc841e2ec965972643b2be4
- SHA1
  
  37a7637213e32d7bec80b5b65265d7811599be63
- SHA256
  
  a44674bb518d90a3bfdf290d47f6c656a2b203cf5ee461f064ed84388051b623
- SHA512
  
  9ffac6f5958f37fae6fb01c9d0e57982dad1778c62e76f830368d8442d55c6e126c9b4d5df20fb8acf760931f2279c441d49906dc4d642420585ec408d8a51d3
- SSDEEP
  
  49152:lU/QmIp7e6x8A0pvbWjcw7fjzY+AC2Z7BnjEvccD5CGUU:yQl7bOAeuLrHPx2BBjEboBU
Score

10^/10

spyware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Package/granulocyte.tiff
- Size
  
  681KB
- MD5
  
  fbb1e8ac73e4fbf5e12fdbb84a251d03
- SHA1
  
  0d9755ac2360cd03cdc9c612324ae5ef474acb53
- SHA256
  
  80a2f164c0c5fda46134f66be3979fd4a63f5fd2c0c61c63bc364d2a3b8b210d
- SHA512
  
  d4541412f577d3fc334a5292bbc6acaf716fdd4f3f62e7e5c00ae9119a24ad9d627786fbeede7f1ae0efc54d6600d6c236370d7da7e625e8010a80445c690d56
- SSDEEP
  
  12288:0Y54FDkbMylC+mqxqmxevS/R/adwlxeEF+D8eKJDbPno+YjjB4dnnT:1QDzDVvS/RyLmJ3PMjjBinT
Score

3^/10
behavioral2
- Target
  
  Package/insert_delimiter.pscript
- Size
  
  1KB
- MD5
  
  3c0c93f687dce4d43bdb60237bbd0b54
- SHA1
  
  d66ca3bc8ad49532ecd1b22241650c24de801ba7
- SHA256
  
  4b460fde39403b5fc251388363565bdcf4b3eb1fd23873154efe61e6fc482042
- SHA512
  
  06614a9c48b904d616ac2b60a9df06eca67a0eab15a700563d98b10cb0f0461c0f978ec4289328aead6561226df1391e973b8d1c1ea58822f6cf57183f525a33
Score

5^/10
- Drops file in System32 directory
behavioral3
- Target
  
  Package/mozglue.dll
- Size
  
  222KB
- MD5
  
  c7c981ca225470d807c329c32f17b036
- SHA1
  
  bc5c480f4d20925cf68cb72661e037ba17f771d9
- SHA256
  
  4159b1ccbb8da3b89d1844628312cf3efd52dec6c1264278cce9b265c295c8ff
- SHA512
  
  af57a68d3d459a4ebf4409729c1069a413e0f8a026511d3a677d5c84701e5e5aa55bd9f77903695837174c86936a3db62941bb9459e4deee0ae75ddecec1d0bd
- SSDEEP
  
  6144:8ODW3D8ZyYsnT0rhsGqAimnNWuvk5aTBNG82Kh/6QFi9jpapT3DeJR:eAwrTahsrANbvkkTXG8fk2p32R
Score

5^/10
- Drops file in System32 directory
behavioral4
- Target
  
  Package/msvcp140.dll
- Size
  
  564KB
- MD5
  
  1ba6d1cf0508775096f9e121a24e5863
- SHA1
  
  df552810d779476610da3c8b956cc921ed6c91ae
- SHA256
  
  74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
- SHA512
  
  9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
- SSDEEP
  
  12288:RBSNvy11qsslnxU/1ceqHiNHlOp/2M+UHHZpDLO+r2VhQEKZm+jWodEEVAdm:RBSDOFQEKZm+jWodEE2dm
Score

3^/10
behavioral5
- Target
  
  Package/palemoon.exe
- Size
  
  279KB
- MD5
  
  64e3c6d6a396836e3c57b81e4c7c8f3b
- SHA1
  
  f689e6995c85817193282163a18ec917c5f8d5c2
- SHA256
  
  f2b4ca304f3d9d3305ae595e19906c545601f8c9e215a9b598036e89155daf85
- SHA512
  
  a57349e922f7608524ea721ff2cff3876587b53eb6875a996ff2ff6681b8ae57d6f33b3598d327f5e02bfbed0e253a19c4f0f94382439879a5fc32c1233e5dfb
- SSDEEP
  
  6144:/TFaSHaPlcCgYH9oYAd6q2vACSHaPlcCgYH9oY8nJX:/5969RTHGkIF69RTHyX
Score

6^/10

spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral6
- Target
  
  Package/rot-13.pscript
- Size
  
  1KB
- MD5
  
  ac1cd856f434464d3f68465061171d0a
- SHA1
  
  57ae543f84214cf00576db15bd24d2e1f3bd4768
- SHA256
  
  2e4bd5557aedd1743da5fab1b6995fbc447d6e9491d9ec59fa93ab889d8bccd1
- SHA512
  
  6348f2c1dd131231f041b5e59bb83eb7e337c93799a955df66fb077dc3b91659263cf8780bc7a6a007008155cc2c83b0ab1ac145abca2a8fa7d3500af46d1a49
Score

3^/10
behavioral7
- Target
  
  Package/vcruntime140.dll
- Size
  
  106KB
- MD5
  
  49c96cecda5c6c660a107d378fdfc3d4
- SHA1
  
  00149b7a66723e3f0310f139489fe172f818ca8e
- SHA256
  
  69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
- SHA512
  
  e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
- SSDEEP
  
  1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
Score

3^/10
behavioral8
- Target
  
  Package/vcruntime140_1.dll
- Size
  
  48KB
- MD5
  
  cf0a1c4776ffe23ada5e570fc36e39fe
- SHA1
  
  2050fadecc11550ad9bde0b542bcf87e19d37f1a
- SHA256
  
  6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
- SHA512
  
  d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
- SSDEEP
  
  768:a0Q4HUcGJZekJSam1BbuBSYcCZbiLzlSHji9z4GwZHji9znwT:afnDex5izbiLzlE+z4Gwl+zwT
Score

3^/10
behavioral9
- Target
  
  Setup.exe
- Size
  
  976KB
- MD5
  
  1cfcd71517a86f325cd631fe0a87f96b
- SHA1
  
  ef1ca3f6efc4798d774deda4c5a34459328d519e
- SHA256
  
  e58a6c6ab2fa3d5e7ea3f13421f7818d614051e3c8d8cf360c3192c82df6a508
- SHA512
  
  ea67d20a7c6d91596065169855d5d797acbfa6f93a746c3e77dfa863060786d147b5671c0a4fd76aa963e6bbd122e07f12342ec21488c23fbf20e998d3d56b5c
- SSDEEP
  
  24576:CL1UrW6nRhlt9Y9y/hg34fDsHJRaKO2Hj0mUM4k:s67lt9Y9y/W34gzaKrHYk
Score

10^/10

spyware
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in System32 directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10