General

  • Target

    03ba42f27927659605cd8c27962c45a4.bin

  • Size

    3.1MB

  • Sample

    231222-bctx5scbf6

  • MD5

    e372a73d7f8faf38db0bb1b6ac35453c

  • SHA1

    fa51fe8f36a9aee04d8db094b1cbbd58315263eb

  • SHA256

    17a4fe1cd4f50925ee0c692888899c886460fa9717db2bb4ced44172dea45a1f

  • SHA512

    d9035c168f5f975054fa09f0b21d33e61b8cf556a79513169d2ce9e2aecffde5cede6b2fb3913f448bed51d14cab624b0090d3bb612d386f7d9272dff0c53f0c

  • SSDEEP

    98304:lkzH0MG1Nje4TMCfT6AixJvBUj9d/O5DKF+Y:lYFG1pe4oWP9l2DA

Malware Config

Targets

    • Target

      edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe

    • Size

      3.2MB

    • MD5

      03ba42f27927659605cd8c27962c45a4

    • SHA1

      f36577464867c88efbf2363a8365b38d34dc4685

    • SHA256

      edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae

    • SHA512

      3ba692dce72cfd47136b856fc0c7793ce0e3619eb7c9d231b9e375d2a7d6556070433de905060059c3e3e859281e2c9add9622562d2d9361e36d19e0a909a15e

    • SSDEEP

      98304:ezPrd9IsGUO1Hr7PxPs96f53xaIETnVr:Qd9S57PdCRTn

    • Detected google phishing page

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks