General

  • Target

    Thunda-Image-Logger.exe

  • Size

    74.7MB

  • Sample

    231125-wwvn1acd6w

  • MD5

    3174ae95667750e4d5e05ff78d87be2f

  • SHA1

    dbb858639cb707b1a5398048baf371f04a873971

  • SHA256

    653436b2ae3722db63a7c682a64c07e30af684dd474139187e8e521672ddfe82

  • SHA512

    933636c74efd8cf424de0b8ad26ebe2246d2aacc705a60ca4d126a1d756407b539df77b8b325a762473117675a8905cd72f8a61b215a4d3c1bf25c8439243677

  • SSDEEP

    1572864:z22MLeQxH0FSk8IpG7V+VPhqGGE7XQHUzvWspyppiZzI+hR1sWgSaZpBBcW:6ZLe6UFSkB05awGPQ0SMg2zd7sv1GW

Malware Config

Targets

    • Target

      Thunda-Image-Logger.exe

    • Size

      74.7MB

    • MD5

      3174ae95667750e4d5e05ff78d87be2f

    • SHA1

      dbb858639cb707b1a5398048baf371f04a873971

    • SHA256

      653436b2ae3722db63a7c682a64c07e30af684dd474139187e8e521672ddfe82

    • SHA512

      933636c74efd8cf424de0b8ad26ebe2246d2aacc705a60ca4d126a1d756407b539df77b8b325a762473117675a8905cd72f8a61b215a4d3c1bf25c8439243677

    • SSDEEP

      1572864:z22MLeQxH0FSk8IpG7V+VPhqGGE7XQHUzvWspyppiZzI+hR1sWgSaZpBBcW:6ZLe6UFSkB05awGPQ0SMg2zd7sv1GW

    • Enumerates VirtualBox DLL files

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks