General
-
Target
https://cdn.discordapp.com/attachments/1150938701694763178/1218978921098383380/hi.exe?ex=6609a196&is=65f72c96&hm=6c8a747b917a411b04b8168e5174973ac109d05f94d8e11c24f2a649f8456577&
-
Sample
240317-wmn5vscf2y
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1150938701694763178/1218978921098383380/hi.exe?ex=6609a196&is=65f72c96&hm=6c8a747b917a411b04b8168e5174973ac109d05f94d8e11c24f2a649f8456577&
Score10/10-
CryptoLocker
Ransomware family with multiple variants.
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Sets desktop wallpaper using registry
-