General
-
Target
curl-8.4.0_6-win64-mingw.zip
-
Size
10.0MB
-
Sample
231029-hj9eqseh4y
-
MD5
3f79e33d3fcbaa871c28c249624be75c
-
SHA1
87f86bc5be209756da289e16d85159c650f95d69
-
SHA256
782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385
-
SHA512
33783f49fafd828441219412f975f5427b824ba479fa73e1d92d8dc400215b57840f4db7daf9b033efc61dda5e37d82a7a48862e44ad249c9dc23b3de59e445a
-
SSDEEP
196608:l0It7beRd2pIX2Iv3Gr1PHIZRBZn/Jo88UMa:lv7bA2pQ3qlC7bP8S
Malware Config
Targets
-
-
Target
curl-8.4.0_6-win64-mingw.zip
-
Size
10.0MB
-
MD5
3f79e33d3fcbaa871c28c249624be75c
-
SHA1
87f86bc5be209756da289e16d85159c650f95d69
-
SHA256
782e849a5a94ae4c8c93d6447dfaa0d36d596bc2727015a6f44044033581f385
-
SHA512
33783f49fafd828441219412f975f5427b824ba479fa73e1d92d8dc400215b57840f4db7daf9b033efc61dda5e37d82a7a48862e44ad249c9dc23b3de59e445a
-
SSDEEP
196608:l0It7beRd2pIX2Iv3Gr1PHIZRBZn/Jo88UMa:lv7bA2pQ3qlC7bP8S
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry
-
-
-
Target
curl-8.4.0_6-win64-mingw/BUILD-README.url
-
Size
62B
-
MD5
98d34b6a6f959ca1c81d4a047283f9d0
-
SHA1
2e4c74fb2d4eefed62d7d0570508d0f16a3228c8
-
SHA256
95e00d67d239c10169e7110091659daf50f3d4ae8dce30ac5eac529b09177800
-
SHA512
357fbcd38c834e26018eef1c239fa1f51a1d9abc3690e5b6df2c6bd3a96db5de9f5ceba66b0a3d63eefd92757cca9c1b2fdf17681bdc3266739f9954154a228e
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
-
-
Target
curl-8.4.0_6-win64-mingw/bin/curl.exe
-
Size
5.9MB
-
MD5
85a9e99ffa3969329157929cc76ffff1
-
SHA1
f98810ca1d2b34dc4ba3a52fb6a7e90b32454462
-
SHA256
8dceda68623b9daf35e7d49f083bc178dcc4a68f8756e405c97f03b0525029eb
-
SHA512
776292cff7789e914a50906f634240723ed33e3388b1f2700adca369593d8673396e7a056cde9ab034abdac9d89e18427d10284c0fecddf20be5de8c151f73b2
-
SSDEEP
49152:m7xIVSXtrkki+mZQiukMXyS8roKklgPY/OHJqQQmoile/GDdGtlq5IU6i3KJWFwN:OxFRtOEd+Y/WJT9o5WO+3WW6kcd6tOx
Score8/10-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Possible privilege escalation attempt
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
curl-8.4.0_6-win64-mingw/bin/libcurl-x64.dll
-
Size
5.7MB
-
MD5
735e732457198bb2957c0af960871b59
-
SHA1
e823b2fe6a3de1d116d45e747a5f65f5eaf99152
-
SHA256
c24394ed346fcd77011b9719e61951a6b10530a51c4b266207c0e8178863f670
-
SHA512
f00b1964ee231ff457fe386511be1c7649898632ea259994a065ea0fd032c85dbbb2551cadecf937c5d89f6fde3c64881e447bc7328f6700ff3549dd37a25a32
-
SSDEEP
49152:wO76kdsn34H+O0O2T40aMYtVp+28/jNPwcM4HsdEuIgePGtlqS5kIU6iQA/sVwAp:D7yX404Vp+1jNYcM9EpA1+QVxLOFv+
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry
-
-
-
Target
curl-8.4.0_6-win64-mingw/dep/cacert/LICENSE.url
-
Size
73B
-
MD5
d4eeff46fd41c739e4653431fe2511c1
-
SHA1
f0e013b1593394cf7bb0bc770a7cfc9b2ff95aba
-
SHA256
b9954f88a27e8457cefcebd076fa533d037711383f6b28ae489d063ef8c61f79
-
SHA512
c0d809e8e561f19a9629931cda0bd8be8c8b919d6926fd63b50512919637a9ee676369d546744f5d1d7aade58dac8f55d23e2421dd24f255ec033ca3f5b001a6
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry
-
-
-
Target
curl-8.4.0_6-win64-mingw/docs/INSTALL.md
-
Size
24KB
-
MD5
802994b0d7b7eb3d67a82c9d839fd692
-
SHA1
b4246cbdb6861e2adf02c4fc8d51cc9f849ee3d3
-
SHA256
d8261f283471d59c70f25d94970005529543ebaa5976ac440bc5a967a69038a7
-
SHA512
98582cad269c51f0d5ef296a7190d1e2af539316f0cffbec231ab9cfba52dd7799a02082805e882c6e88ba5e41a7c7ce97347eadb12ecae4ba9dff550fa16b02
-
SSDEEP
768:OWSWUW4Rz+FGWf4EirdaLWBcW9cWGcWU0XMf/iy1d:OWSWUWO+FwqWOWyWHWA/iy1d
Score8/10-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
curl-8.4.0_6-win64-mingw/lib/libbrotlicommon.a
-
Size
130KB
-
MD5
3f56cf21ec180e8257437799fd155935
-
SHA1
b79c12a7ba1142be9a5452a7650c022b605e5206
-
SHA256
34156de018916e2f5825238ea7634d25f2798d064b0201dc328a58158b36b733
-
SHA512
dc37f352c00d788752216b107a9112466e9218632b8c0846130dee63e702cbe944252062dd1d97c65500ef91fd092c50b6fc06033fe1f382979f6f8692f88eb7
-
SSDEEP
3072:N4lzbWhNbNL8DXGvVh73pbi0tdpvGJaoZB7PxBHJL:N4AhdNorGvHdbi09GJ5JL
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry
-