6398d8ab770748ba06958dc0b7ef0528ea97d518b889e26e1cdaab642da6be17

General

Target

palebreast.exe
Size

1.2MB
MD5

80a929ed8c5c4aadc9fb589baf5b3c5c
SHA1

49254388bb2926b6b7c6a3846121aaa001639c7a
SHA256

6398d8ab770748ba06958dc0b7ef0528ea97d518b889e26e1cdaab642da6be17
SHA512

d0046618e4d7151d1338e36dceef31598ac75ed49506ed31a1f290479e8242f5b6bee3fc68e9f1da0194a73aa2899a2eef81d5d59bd705e01217c128daa03fb0
SSDEEP

24576:+mFPqmsbqk95ACjKC4onl8Q3wlRjMPybTJmUU:nPdIACjKCxl13ojMPyblG

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	palebreast.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	palebreast.exe

Loads dropped DLL 1 IoCs

pid	Process
3812	palebreast.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3812	palebreast.exe
4328	palebreast.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 4328	3812	palebreast.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3812	palebreast.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4328	3812	palebreast.exe	99
PID 3812 wrote to memory of 4328	3812	palebreast.exe	99
PID 3812 wrote to memory of 4328	3812	palebreast.exe	99
PID 3812 wrote to memory of 4328	3812	palebreast.exe	99
PID 3812 wrote to memory of 4328	3812	palebreast.exe	99

C:\Users\Admin\AppData\Local\Temp\palebreast.exe
"C:\Users\Admin\AppData\Local\Temp\palebreast.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\palebreast.exe
  "C:\Users\Admin\AppData\Local\Temp\palebreast.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4328

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
1⤵
PID:4512

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:4116
- C:\Program Files\Mozilla Firefox\Firefox.exe
  "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2⤵
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsiC14D.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/768-58-0x0000000007A00000-0x0000000007AF4000-memory.dmp

Filesize
976KB

Download
memory/768-48-0x000000000CB50000-0x000000000D5D2000-memory.dmp

Filesize
10.5MB

Download
memory/768-55-0x000000000CB50000-0x000000000D5D2000-memory.dmp

Filesize
10.5MB

Download
memory/768-62-0x0000000007A00000-0x0000000007AF4000-memory.dmp

Filesize
976KB

Download
memory/768-59-0x0000000007A00000-0x0000000007AF4000-memory.dmp

Filesize
976KB

Download
memory/3812-20-0x00000000743D0000-0x00000000743D6000-memory.dmp

Filesize
24KB

Download
memory/3812-19-0x0000000077571000-0x0000000077691000-memory.dmp

Filesize
1.1MB

Download
memory/3812-18-0x0000000077571000-0x0000000077691000-memory.dmp

Filesize
1.1MB

Download
memory/4116-60-0x0000000003150000-0x00000000031EE000-memory.dmp

Filesize
632KB

Download
memory/4116-56-0x0000000003150000-0x00000000031EE000-memory.dmp

Filesize
632KB

Download
memory/4116-57-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/4116-54-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/4116-52-0x0000000002E00000-0x000000000314A000-memory.dmp

Filesize
3.3MB

Download
memory/4116-50-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/4116-49-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/4328-36-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-47-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/4328-46-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-45-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-51-0x0000000001660000-0x00000000054DC000-memory.dmp

Filesize
62.5MB

Download
memory/4328-42-0x0000000077571000-0x0000000077691000-memory.dmp

Filesize
1.1MB

Download
memory/4328-41-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-53-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-40-0x0000000035B10000-0x0000000035E5A000-memory.dmp

Filesize
3.3MB

Download
memory/4328-39-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-38-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4328-37-0x0000000001660000-0x00000000054DC000-memory.dmp

Filesize
62.5MB

Download
memory/4328-23-0x0000000077615000-0x0000000077616000-memory.dmp

Filesize
4KB

Download
memory/4328-22-0x00000000775F8000-0x00000000775F9000-memory.dmp

Filesize
4KB

Download
memory/4328-21-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing