General

  • Target

    Calabiyau_Installer_Release_0.9.1.396_10439382.exe

  • Size

    163.4MB

  • Sample

    240408-bkat8scc87

  • MD5

    022b4707e26b6c4d965bb88cc2668b62

  • SHA1

    65c3c8ee02f6c37e0e71572800a9b7b967af2745

  • SHA256

    68cadea3071b42d42bd81a4f84c61609494c9e04d016c070f410111c3b8c8bef

  • SHA512

    34faff8695cf85c2001bdd1466bd2be6506b9ae4667e196c1ec23d5ecb72a97efc69a502a3886aa648801ba9247e90a0fd0a08ae1c3985d5e05515e88792aba4

  • SSDEEP

    3145728:t8aKWcoPkyA4sWnh3N9NX61z5UBrL4CnYCdTwA39QB:t8lWcoPO4sWhpX6UBf/vcY9QB

Malware Config

Targets

    • Target

      Calabiyau_Installer_Release_0.9.1.396_10439382.exe

    • Size

      163.4MB

    • MD5

      022b4707e26b6c4d965bb88cc2668b62

    • SHA1

      65c3c8ee02f6c37e0e71572800a9b7b967af2745

    • SHA256

      68cadea3071b42d42bd81a4f84c61609494c9e04d016c070f410111c3b8c8bef

    • SHA512

      34faff8695cf85c2001bdd1466bd2be6506b9ae4667e196c1ec23d5ecb72a97efc69a502a3886aa648801ba9247e90a0fd0a08ae1c3985d5e05515e88792aba4

    • SSDEEP

      3145728:t8aKWcoPkyA4sWnh3N9NX61z5UBrL4CnYCdTwA39QB:t8lWcoPO4sWhpX6UBf/vcY9QB

    • Drops file in Drivers directory

    • Modifies AppInit DLL entries

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets file execution options in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks