General

  • Target

    f56e425ba7f905b33c4d616143acac57

  • Size

    762KB

  • Sample

    231222-t5fv4abhd3

  • MD5

    f56e425ba7f905b33c4d616143acac57

  • SHA1

    8023bbf67944c594c100b167c02603a5baa1d507

  • SHA256

    b2e103c80923fec90ca8c6f8945a3096d13068bdd2e993f713650af9e92bcb1a

  • SHA512

    0a1d41064b1d7e7bb9bfeef903037508f7869e522d243bc864880d10bcd49d45b34b8ef4550d5e9bfa261f1a1f98d226f38d0a33285d7077fc4a142c0071dc5d

  • SSDEEP

    12288:mkQ5e3kWPHloPS676z54rucM8toDq3DJM8to7:PQ8UK67Y4rqgoDq3+go7

Malware Config

Targets

    • Target

      f56e425ba7f905b33c4d616143acac57

    • Size

      762KB

    • MD5

      f56e425ba7f905b33c4d616143acac57

    • SHA1

      8023bbf67944c594c100b167c02603a5baa1d507

    • SHA256

      b2e103c80923fec90ca8c6f8945a3096d13068bdd2e993f713650af9e92bcb1a

    • SHA512

      0a1d41064b1d7e7bb9bfeef903037508f7869e522d243bc864880d10bcd49d45b34b8ef4550d5e9bfa261f1a1f98d226f38d0a33285d7077fc4a142c0071dc5d

    • SSDEEP

      12288:mkQ5e3kWPHloPS676z54rucM8toDq3DJM8to7:PQ8UK67Y4rqgoDq3+go7

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks