General

  • Target

    PYMT SUCESSFUL AVIS CREDIT 12012024.exe

  • Size

    444KB

  • Sample

    240113-aq69ysgfbj

  • MD5

    9352bb54fb680c197ef32e2ebe10e6a5

  • SHA1

    34745e30c5435a715a7ca3b81f78883f72bfb90f

  • SHA256

    b7ff86b6da28a06ee0de3032320ebb3989eb61467e6d40740cfd082444ed9c06

  • SHA512

    3939aa3e87a1c26073ca69db4f5fbc80611188e3c16f8a39ba98389df5e28cd83d04ffbf8928100bb7edeb3119353ed378310d2626c81033cd04e6a1709cca74

  • SSDEEP

    12288:xiMZHMlRkB3d9eQNjfDypk8D8lK+3pvGxuqTypR6snVWvHSM:xiMZsrkZnHdbyC8olyuqKRnVWL

Malware Config

Targets

    • Target

      PYMT SUCESSFUL AVIS CREDIT 12012024.exe

    • Size

      444KB

    • MD5

      9352bb54fb680c197ef32e2ebe10e6a5

    • SHA1

      34745e30c5435a715a7ca3b81f78883f72bfb90f

    • SHA256

      b7ff86b6da28a06ee0de3032320ebb3989eb61467e6d40740cfd082444ed9c06

    • SHA512

      3939aa3e87a1c26073ca69db4f5fbc80611188e3c16f8a39ba98389df5e28cd83d04ffbf8928100bb7edeb3119353ed378310d2626c81033cd04e6a1709cca74

    • SSDEEP

      12288:xiMZHMlRkB3d9eQNjfDypk8D8lK+3pvGxuqTypR6snVWvHSM:xiMZsrkZnHdbyC8olyuqKRnVWL

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      d968cb2b98b83c03a9f02dd9b8df97dc

    • SHA1

      d784c9b7a92dce58a5038beb62a48ff509e166a0

    • SHA256

      a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    • SHA512

      2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

    • SSDEEP

      192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks