General

  • Target

    tmp

  • Size

    6.1MB

  • Sample

    231222-hk3zcadah8

  • MD5

    a9ab5111bd45ac06105a6e2c87af245d

  • SHA1

    8d76daf0cc3b47103249907b2996d096da836450

  • SHA256

    9b5fbf587b30511d8fb6e84fd506e9f7c3c052eb68fcc6a1f7fca0297835f556

  • SHA512

    db4f7e2fe468eb74775176d6b4db084b9be7ea8162dd2d46a54ab5916f0300df48112813757e6744e0bf426342a5c736e646ad7867356a98e025455f6ec4025c

  • SSDEEP

    196608:GuzaEoqiYQwsPiJI2V1he1jCfGdfip6Spbv0fZ:GWqDhiJ7VS1jCfGU6ibMZ

Malware Config

Targets

    • Target

      tmp

    • Size

      6.1MB

    • MD5

      a9ab5111bd45ac06105a6e2c87af245d

    • SHA1

      8d76daf0cc3b47103249907b2996d096da836450

    • SHA256

      9b5fbf587b30511d8fb6e84fd506e9f7c3c052eb68fcc6a1f7fca0297835f556

    • SHA512

      db4f7e2fe468eb74775176d6b4db084b9be7ea8162dd2d46a54ab5916f0300df48112813757e6744e0bf426342a5c736e646ad7867356a98e025455f6ec4025c

    • SSDEEP

      196608:GuzaEoqiYQwsPiJI2V1he1jCfGdfip6Spbv0fZ:GWqDhiJ7VS1jCfGU6ibMZ

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Detected potential entity reuse from brand paypal.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks