15721ae2d04e5e9d1b9d49821e87cf5007bee2ba0b4306f5e6d0d190f2591759 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

PO2023.exe
Size

588KB
Sample

231005-klen9ahg2t
MD5

a98108f853d463f53cbf9d387939a355
SHA1

3a247e03235c86730326f68319248d38b1a83531
SHA256

15721ae2d04e5e9d1b9d49821e87cf5007bee2ba0b4306f5e6d0d190f2591759
SHA512

2cc43621d9eb78e3b01fe06b11031853c3472a9d3b7c9fe00813952f364a03d21778d0e56dc16c045770ea07abc9065b80669a3444643f19b5fd94bed0eba3b0
SSDEEP

12288:tawpe2SdqfYdxy1KhF5wZKvg7qNZfK3Gwwfe/7rM4VWjbH:tawpe2Sdqgm1AmFMZksf03kjbH

Score

10^/10

persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.selmopackaging.com
Port:
587
Username:
[email protected]
Password:
}CK2:}[&<my&%xjZ

Targets

- Target
  
  PO2023.exe
- Size
  
  588KB
- MD5
  
  a98108f853d463f53cbf9d387939a355
- SHA1
  
  3a247e03235c86730326f68319248d38b1a83531
- SHA256
  
  15721ae2d04e5e9d1b9d49821e87cf5007bee2ba0b4306f5e6d0d190f2591759
- SHA512
  
  2cc43621d9eb78e3b01fe06b11031853c3472a9d3b7c9fe00813952f364a03d21778d0e56dc16c045770ea07abc9065b80669a3444643f19b5fd94bed0eba3b0
- SSDEEP
  
  12288:tawpe2SdqfYdxy1KhF5wZKvg7qNZfK3Gwwfe/7rM4VWjbH:tawpe2Sdqgm1AmFMZksf03kjbH
Score

10^/10

persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistencespywarestealer

behavioral2

persistencespywarestealer