General

  • Target

    7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

  • Size

    1.9MB

  • Sample

    240129-l759rsfeh5

  • MD5

    eda78f518cd0a5fd88c694c21f2eb473

  • SHA1

    23c4ea260ab26e5d30422749b048055ddac18405

  • SHA256

    7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

  • SHA512

    e5030561f9bbfe3fb945c24547290979eff1326830420e0d57b5618a02a6515ee08b94d166d1c04d1dd97c279696c46b9748f86850c4a951263dad8a36e675c7

  • SSDEEP

    49152:qy5z1o02R2cFNGLoygKtsbEMZV1rvX50VeV4mhQ:jE03yNFRbEMR5cea

Malware Config

Targets

    • Target

      7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

    • Size

      1.9MB

    • MD5

      eda78f518cd0a5fd88c694c21f2eb473

    • SHA1

      23c4ea260ab26e5d30422749b048055ddac18405

    • SHA256

      7f921526449963559a911dffeb3fff1cbbfa64dd3189ad36d9b91c495e83446c

    • SHA512

      e5030561f9bbfe3fb945c24547290979eff1326830420e0d57b5618a02a6515ee08b94d166d1c04d1dd97c279696c46b9748f86850c4a951263dad8a36e675c7

    • SSDEEP

      49152:qy5z1o02R2cFNGLoygKtsbEMZV1rvX50VeV4mhQ:jE03yNFRbEMR5cea

    • Detected google phishing page

    • Modifies Windows Defender Real-time Protection settings

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks