2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1
Size

2.0MB
Sample

231114-xs7d3afg2v
MD5

9fd909b9252da347edb2c71b1c75dbb9
SHA1

cfbcf7181f4abe9a747aaad432cc32655a1d764e
SHA256

2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1
SHA512

b7b7f1036471d1f24836ca206b44c7cf07d2168e62fab276615a1876f894573eff38544c504ff182f206df8c483c5a30dcf7752bf94babececf6337aa122a0c6
SSDEEP

12288:dTgvmzFHi0mo5aH0qMzd5807FUJV1PJQPDHvd:dTgvOHi0mGaH0qSdPFUJh4V

Score

10^/10

evasion persistence trojan

Malware Config

Targets

- Target
  
  2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1
- Size
  
  2.0MB
- MD5
  
  9fd909b9252da347edb2c71b1c75dbb9
- SHA1
  
  cfbcf7181f4abe9a747aaad432cc32655a1d764e
- SHA256
  
  2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1
- SHA512
  
  b7b7f1036471d1f24836ca206b44c7cf07d2168e62fab276615a1876f894573eff38544c504ff182f206df8c483c5a30dcf7752bf94babececf6337aa122a0c6
- SSDEEP
  
  12288:dTgvmzFHi0mo5aH0qMzd5807FUJV1PJQPDHvd:dTgvOHi0mGaH0qSdPFUJh4V
Score

10^/10

evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

evasionpersistencetrojan