General

  • Target

    doc000993293.rar

  • Size

    340KB

  • Sample

    230918-kwc86saf58

  • MD5

    539b9abf3f1d07d6aece30ab034799ac

  • SHA1

    27a89545a8d6711d8af27f287a3f667390540374

  • SHA256

    b8a87d2aa3d09f165e7b74c285393fe56c384c358e31f07243223106fa315bac

  • SHA512

    967dd19a061e217dfcd263cc2e186085c79a630b93cd9b7e914ded23e2e0d68f446012067e6a94b4cf5cbc939df29b0b2df0eaa1fe743f5011c0b4977b563d8c

  • SSDEEP

    6144:r6gIYpJFcxjqyPrOxOhy0t0e0pYYFIBGcW5fIkpNvXbkDw7VdVASw:mglpHcxzOcoVLpYtkh5fIkfvew75Nw

Malware Config

Targets

    • Target

      Begraensningen.exe

    • Size

      423KB

    • MD5

      67550518a3434e0bc380ca85ec053295

    • SHA1

      88bde13bf178d6e84f0ea16cf84006574c2e1ab9

    • SHA256

      2340f884236aaa127f58da3f0cd257a6ee2aabd974bb409ec4f07ea01d5f045b

    • SHA512

      dba25e03bf36a7744a3b31ee7c4a4cace70a762dd0c57e26eb801856e8c3af61ec7f6a289c8332cefe741d7eef8419df4bf53fe645223b10e91f428336061105

    • SSDEEP

      6144:xB+pgUvsgje7ILcuqHy74ZhR0NmnK/2+Rc/gDHbJ75E0ME9p5FU8:xgnN+4cPSOhR0snK7RGkb/fME9jFU8

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks