General
-
Target
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7.exe
-
Size
384KB
-
Sample
240417-r35qbscf25
-
MD5
3170aed3eb44bd638cce6f67650d4b50
-
SHA1
22519afd371ed56fe6b4b4565534e09d0dd20453
-
SHA256
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7
-
SHA512
7e7c6289de619d06a7ca36fdb11d3d1a04e0913dffcfabac7af71213e2e8c54bb367ecf318b07e40b8734d3a7db92cb5de6f73e99caa9c254eec876130c93f36
-
SSDEEP
6144:F9b8+wW/Wco9GZbOHqYCGwYyX9Y1J3yVA3Upzm88TKmIImK4E7AjEwYM/vYZu6Yj:Tb8+/hbOHsG46Xx6mWIFNOYM/h8cvB
Static task
static1
Behavioral task
behavioral1
Sample
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7.exe
Resource
win7-20240221-en
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Targets
-
-
Target
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7.exe
-
Size
384KB
-
MD5
3170aed3eb44bd638cce6f67650d4b50
-
SHA1
22519afd371ed56fe6b4b4565534e09d0dd20453
-
SHA256
d562b3b44859f761645676e0c0e7daad1226c5b90f53b4fe5e5395bf77454ec7
-
SHA512
7e7c6289de619d06a7ca36fdb11d3d1a04e0913dffcfabac7af71213e2e8c54bb367ecf318b07e40b8734d3a7db92cb5de6f73e99caa9c254eec876130c93f36
-
SSDEEP
6144:F9b8+wW/Wco9GZbOHqYCGwYyX9Y1J3yVA3Upzm88TKmIImK4E7AjEwYM/vYZu6Yj:Tb8+/hbOHsG46Xx6mWIFNOYM/h8cvB
-
Glupteba payload
-
Modifies firewall policy service
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1