General

  • Target

    719ec0fb659c656478b02bfe546941087ff17536a8966.exe

  • Size

    6.1MB

  • Sample

    231220-cfjr1sagh2

  • MD5

    645a27bbbbb15cc06d5cc958fb7ccdef

  • SHA1

    e0f1ef4157b65439cfca198ef0d9aaf006f37d51

  • SHA256

    719ec0fb659c656478b02bfe546941087ff17536a89661a6ab2faaaf0393c0d1

  • SHA512

    58d6664a426cd1407b926c243953926979a30a6ced7edeb922f1e713c6c2918f6d7c75ab617973baeac42ba1f7023980b4cf421cd88dca60c210bd989b050d7a

  • SSDEEP

    196608:vuFZbzwat7JMVlePAZ1BrsM165dfNPDwBW:WFeat7eleoFVgdlP4W

Malware Config

Targets

    • Target

      719ec0fb659c656478b02bfe546941087ff17536a8966.exe

    • Size

      6.1MB

    • MD5

      645a27bbbbb15cc06d5cc958fb7ccdef

    • SHA1

      e0f1ef4157b65439cfca198ef0d9aaf006f37d51

    • SHA256

      719ec0fb659c656478b02bfe546941087ff17536a89661a6ab2faaaf0393c0d1

    • SHA512

      58d6664a426cd1407b926c243953926979a30a6ced7edeb922f1e713c6c2918f6d7c75ab617973baeac42ba1f7023980b4cf421cd88dca60c210bd989b050d7a

    • SSDEEP

      196608:vuFZbzwat7JMVlePAZ1BrsM165dfNPDwBW:WFeat7eleoFVgdlP4W

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks