Resubmissions

15-12-2023 20:21

231215-y41lbshbem 10

15-12-2023 20:02

231215-yr82yaaed2 10

General

  • Target

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin

  • Size

    49KB

  • Sample

    231215-y41lbshbem

  • MD5

    46bfd4f1d581d7c0121d2b19a005d3df

  • SHA1

    5b063298bbd1670b4d39e1baef67f854b8dcba9d

  • SHA256

    683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

  • SHA512

    b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

  • SSDEEP

    768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

Malware Config

Targets

    • Target

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin

    • Size

      49KB

    • MD5

      46bfd4f1d581d7c0121d2b19a005d3df

    • SHA1

      5b063298bbd1670b4d39e1baef67f854b8dcba9d

    • SHA256

      683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

    • SHA512

      b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

    • SSDEEP

      768:AbFw10RFnAwJM7MiqwecUaX5h4IuCdYa+XLXTGY1idL2WYiwtDj:Apw10vnAOIUaJh4IXdWXLXTWLfuFj

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks