Resubmissions

26/02/2024, 12:14

240226-pep9madf2y 10

23/02/2024, 08:45

240223-kn4fdsdh5y 10

General

  • Target

    gimp-2.10.36-setup.exe

  • Size

    343.4MB

  • Sample

    240223-kn4fdsdh5y

  • MD5

    3b1410c38148f9292a464c06894fc558

  • SHA1

    3c87eadaf9665e5c84a045abd013a237c875bf77

  • SHA256

    2949487e3dbd5caf6ddd488bdc92946088e81fafb27a6a29be84c1de8ff48b8d

  • SHA512

    c5c0cf26686e65aa99d0cbcdd433f9b8af80a79d89821ecb9df190dd4ebd4ffd3fdd17d7dbd9bbf13b9a1043e005bb4ab5af0a22bc6c984a7602f74d82ccc1cd

  • SSDEEP

    6291456:ROS0S/8HWwH7zQKvLd/q5w5FwwKtH5F9QUzWZkQ3MkhdWnrDNpCMhglMnyVsc:X0C8HjQKvZa9/PbQLqr7glTB

Malware Config

Targets

    • Target

      gimp-2.10.36-setup.exe

    • Size

      343.4MB

    • MD5

      3b1410c38148f9292a464c06894fc558

    • SHA1

      3c87eadaf9665e5c84a045abd013a237c875bf77

    • SHA256

      2949487e3dbd5caf6ddd488bdc92946088e81fafb27a6a29be84c1de8ff48b8d

    • SHA512

      c5c0cf26686e65aa99d0cbcdd433f9b8af80a79d89821ecb9df190dd4ebd4ffd3fdd17d7dbd9bbf13b9a1043e005bb4ab5af0a22bc6c984a7602f74d82ccc1cd

    • SSDEEP

      6291456:ROS0S/8HWwH7zQKvLd/q5w5FwwKtH5F9QUzWZkQ3MkhdWnrDNpCMhglMnyVsc:X0C8HjQKvZa9/PbQLqr7glTB

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks