General

  • Target

    Energy_Gamer.exe

  • Size

    13.2MB

  • Sample

    240202-tf86cahhd7

  • MD5

    569ebceef6b93d2b6df145be2b579e2b

  • SHA1

    a95f84dc080ffbab7f2e3c9b295c867a148d4a3b

  • SHA256

    fef04bade6811de31ed43969889175b26f7b14b5164289aa0e8411e173798a6c

  • SHA512

    18bb9bf8d490e67d58ac7cb11ee491c8a796607771ee2a055d9465afa2949f073dfcaff1c8eb8fe965956e1ec32548330a5bd0240b70ba2ccf0b6c6ccdd48d9e

  • SSDEEP

    393216:v4EkMD2nwW+eGQRIMTozGxu8C0ibfz6e57Q1bmXiWCUI:gUDawW+e5R5oztZ026e5uFVUI

Malware Config

Targets

    • Target

      Energy_Gamer.exe

    • Size

      13.2MB

    • MD5

      569ebceef6b93d2b6df145be2b579e2b

    • SHA1

      a95f84dc080ffbab7f2e3c9b295c867a148d4a3b

    • SHA256

      fef04bade6811de31ed43969889175b26f7b14b5164289aa0e8411e173798a6c

    • SHA512

      18bb9bf8d490e67d58ac7cb11ee491c8a796607771ee2a055d9465afa2949f073dfcaff1c8eb8fe965956e1ec32548330a5bd0240b70ba2ccf0b6c6ccdd48d9e

    • SSDEEP

      393216:v4EkMD2nwW+eGQRIMTozGxu8C0ibfz6e57Q1bmXiWCUI:gUDawW+e5R5oztZ026e5uFVUI

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      creal.pyc

    • Size

      53KB

    • MD5

      937459c536212f2d9527a3cdd8e6a2a6

    • SHA1

      8c1c9e523fc4a27bef29b11579e2980a9aef19cd

    • SHA256

      60e73495a7425983d8f5839a68e13d4a1a5c29afc1495f0833d696d4a86a1a07

    • SHA512

      d545bebd7fb27793c4fbdad0b3dc8933b3f184f60ae7fc43c44242a9876b0732a1b2f5874e2c7eca6c008d730d182c7f77ee09c61b1ecd16feddaaf832eadec5

    • SSDEEP

      1536:2rOaqMamq3YwmQyLCipnml5ZOhLQmGwCo3gX:2K7MapmJpnDSou

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks