General

  • Target

    864535296e9af54c499f6c263b0e892c0c21194b4e3b9ec4f2e1514004d5b147

  • Size

    1.9MB

  • Sample

    240201-h3n8xagbcj

  • MD5

    f123d75e6ab188abc937c1c5d21274c6

  • SHA1

    32d89ffddf983989f0a432bc0fd014cb970c8fac

  • SHA256

    864535296e9af54c499f6c263b0e892c0c21194b4e3b9ec4f2e1514004d5b147

  • SHA512

    d064be4a608b6efed7b3a6cd9e8a64155a73ec82f4e47f61a465a88e30d98fccd59f66fb2274d9e8abdb9bc7d89cd798814633734deba4711fab30cb5da98342

  • SSDEEP

    49152:Y65z1o02R2cFB3gwqQXSjewyeCx/DLO7b8Zf05yPmsn:JE03yB3gwqqSKbWe8IN

Malware Config

Targets

    • Target

      864535296e9af54c499f6c263b0e892c0c21194b4e3b9ec4f2e1514004d5b147

    • Size

      1.9MB

    • MD5

      f123d75e6ab188abc937c1c5d21274c6

    • SHA1

      32d89ffddf983989f0a432bc0fd014cb970c8fac

    • SHA256

      864535296e9af54c499f6c263b0e892c0c21194b4e3b9ec4f2e1514004d5b147

    • SHA512

      d064be4a608b6efed7b3a6cd9e8a64155a73ec82f4e47f61a465a88e30d98fccd59f66fb2274d9e8abdb9bc7d89cd798814633734deba4711fab30cb5da98342

    • SSDEEP

      49152:Y65z1o02R2cFB3gwqQXSjewyeCx/DLO7b8Zf05yPmsn:JE03yB3gwqqSKbWe8IN

    • Detected google phishing page

    • Modifies Windows Defender Real-time Protection settings

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks