General

  • Target

    gimp-2.10.36-setup.7z

  • Size

    342.4MB

  • Sample

    240223-lv3ccaed7x

  • MD5

    3ab8772aad477bb3dbf2ac1bd5bd65db

  • SHA1

    711b338b63a3e72be05f313cf660da94eb74d94d

  • SHA256

    0b463fd8e31fe8b2ca76920e0586b49703e32233c4d73f5e1b599eb628fc90c0

  • SHA512

    33b6af9d6f72fc67f918a2fd88517c7fdb5a0af4b2174600c520aa0549aecddd78745e681f5826ca7539775ab9b3ae7bae54b8f752f050df79cff996963df602

  • SSDEEP

    6291456:h5SeT7GM+8sWdcnQOs2UYViQtXle2gD/sGIcZRvcPYHn6DKNq:/Si7aWwUVSM4GIcfvcPYHxq

Malware Config

Targets

    • Target

      gimp-2.10.36-setup.exe

    • Size

      343.4MB

    • MD5

      3b1410c38148f9292a464c06894fc558

    • SHA1

      3c87eadaf9665e5c84a045abd013a237c875bf77

    • SHA256

      2949487e3dbd5caf6ddd488bdc92946088e81fafb27a6a29be84c1de8ff48b8d

    • SHA512

      c5c0cf26686e65aa99d0cbcdd433f9b8af80a79d89821ecb9df190dd4ebd4ffd3fdd17d7dbd9bbf13b9a1043e005bb4ab5af0a22bc6c984a7602f74d82ccc1cd

    • SSDEEP

      6291456:ROS0S/8HWwH7zQKvLd/q5w5FwwKtH5F9QUzWZkQ3MkhdWnrDNpCMhglMnyVsc:X0C8HjQKvZa9/PbQLqr7glTB

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks