General

  • Target

    a9c31c5e3e425c8f9d79ab9d327da848.bin

  • Size

    6.1MB

  • Sample

    231222-b7739aeafq

  • MD5

    9b1dea6d76a745bd5f25a883e0273ec5

  • SHA1

    c369cb8ad3a87d8ae7a3f7adcec1a8c89b72d50e

  • SHA256

    822241533cc876cbc9761f0f30f3791642fe48564129d0f40be38e8baea3f4b7

  • SHA512

    47ef804026a9f047b81f5604e32353e27eb6ae858874d389160897fa01b790c824239f45c6ae9ec77025a628e4bce42c148683bd295ad362365922f47d681711

  • SSDEEP

    98304:BbfyPGS+Eia9BMUB0cj8i8Y4bpzIes1JLzmyokW/CdKqXx5ImnKzDver5snWPZir:hkUc4ieNzXbyofaxh5Im2rC+UZiwed

Malware Config

Targets

    • Target

      c6f8ab2ae2bfff6591d4950f292d04e997e8342e84c4631ee01df43b26745155.exe

    • Size

      6.1MB

    • MD5

      a9c31c5e3e425c8f9d79ab9d327da848

    • SHA1

      3eb936de792d5cf07e15a91e26763d6bb6a31ed8

    • SHA256

      c6f8ab2ae2bfff6591d4950f292d04e997e8342e84c4631ee01df43b26745155

    • SHA512

      6d04c1d5906dcb7508a6c10f6d06dfd3305bfdeceb78a3cf5b914f6187c1f6e18e0b0f6771a7c719fd78a7dc5891e84a367269fa66f2743e26f8e24b82b1dad4

    • SSDEEP

      196608:sGlonyo33iGT+M5CMRdu8IpzGgBZ6pC8B37Cz:OyMSGTJ5CkuHpzGgBsCI38

    • Detected google phishing page

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks