General

  • Target

    ReimagePackage.exe

  • Size

    12.3MB

  • Sample

    240418-qbhaaaea73

  • MD5

    0cf8715cbdee01676d24f4f78c7b431f

  • SHA1

    74989063fd05ffb28d0d705c583c2c6b1e9aef99

  • SHA256

    4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4

  • SHA512

    248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327

  • SSDEEP

    196608:pSjaAQ7Z8aVC/xE4hVS930UqN2FItiZESkM8ZCLfsFrrdTM4nGgAU1Q+osH:oOAQaBvWq0QiZH18ZaIr2qG/sH

Malware Config

Targets

    • Target

      ReimagePackage.exe

    • Size

      12.3MB

    • MD5

      0cf8715cbdee01676d24f4f78c7b431f

    • SHA1

      74989063fd05ffb28d0d705c583c2c6b1e9aef99

    • SHA256

      4de22f65551da53a761b1e9049abfcfdeddb4f36dfd50503f4ac45a0e4f972a4

    • SHA512

      248e107e97b2c1c1172abcadffee1497fbf8f75a0b343d983cf13410c2c74c6a7bd23f5d5ece32e76b2521b0a1543f4f6b62a4e8e407ba27ce722e2290976327

    • SSDEEP

      196608:pSjaAQ7Z8aVC/xE4hVS930UqN2FItiZESkM8ZCLfsFrrdTM4nGgAU1Q+osH:oOAQaBvWq0QiZH18ZaIr2qG/sH

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Modifies WinLogon

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops file in System32 directory

    • Target

      $PLUGINSDIR/AccessControl.dll

    • Size

      8KB

    • MD5

      65d017ba65785b43720de6c9979a2e8c

    • SHA1

      0aed2846e1b338077bae5a7f756c345a5c90d8a9

    • SHA256

      ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

    • SHA512

      31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

    • SSDEEP

      96:18YNfTAJj9KMMVSyPg8uxZAQ/zdVJF/mSsQwV6i8zRRxqBt/FZTIVe7/cIH8ykeO:1XwKMMfPuxJ/zb+b6fR+bZEwywQ9

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      $PLUGINSDIR/DcryptDll.dll

    • Size

      156KB

    • MD5

      4c373143ee342a75b469e0748049cd24

    • SHA1

      d4e0e5155e78b99ec9459136acece2364bc2e935

    • SHA256

      b4b5772a893e56aa5382aa3f0fef7837fa471e3b3e46db70b8bc702f2037e589

    • SHA512

      569f92c3ff9a6e105cf9b3806d8b696442a5679dfa5d7c9362b0649a67cbea2478ca28a5da6c3bd0edacdb634509d8584c6959a4cc13c38d596458f372832f61

    • SSDEEP

      3072:etvFO3r5Unb7FQwdkb6ckt+bBwmhqKUuWxvt+9/dh:etvAtUn3ewWc+

    Score
    3/10
    • Target

      $PLUGINSDIR/ExecDos.dll

    • Size

      5KB

    • MD5

      0deb397ca1e716bb7b15e1754e52b2ac

    • SHA1

      fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

    • SHA256

      720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

    • SHA512

      507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

    • SSDEEP

      96:J++xDiP4p7t7dNOt3stxtRFFXxGD6qxlnKE6ttdH3r3:Rx9pJ7jQs5toD6Cln/6tt1

    Score
    3/10
    • Target

      $PLUGINSDIR/IpConfig.dll

    • Size

      118KB

    • MD5

      a75e3775daac9958610ce1308e0bca3b

    • SHA1

      d83ce354cde527c2e20fb425415f6d4795dd4cd4

    • SHA256

      fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

    • SHA512

      48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

    • SSDEEP

      3072:oa/4Ftm9rSlia00FW96LOsWNQmtQ9WVx95+tTIJ:t/4S9raiae8DSDtQ9W3utEJ

    Score
    3/10
    • Target

      $PLUGINSDIR/LogEx.dll

    • Size

      44KB

    • MD5

      0f96d9eb959ad4e8fd205e6d58cf01b8

    • SHA1

      7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

    • SHA256

      57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

    • SHA512

      9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

    • SSDEEP

      384:w4NSXFjXCATBAQR4F1Y5u6I3wa4W7KNP66BjLjyXB0JyuDchv8EnohgSil2X:woaF+ATCQye/I3KWmxj00Jyb8Enov

    Score
    3/10
    • Target

      $PLUGINSDIR/ProtectorUpdater.exe

    • Size

      371KB

    • MD5

      7aa7e8423194f3edf6d1d82ade82acb3

    • SHA1

      a4ca6d67fc43dd742e87b4c82237cdc8b1bb22d9

    • SHA256

      1ba53128ef67d7e355b2e44c90c4bfe3dddff4546ad4e9c75e249d4850250361

    • SHA512

      e5fc8a1b515f41f60810ec12f5e36263c889c60b06c6b94450eec910a32ba91fba74bd757d54966d657d37a5ca3c5e9bb23f58f3de4255c276e046b6f1be28bb

    • SSDEEP

      6144:W50gUCBmByEhoO3RMMJOq2hQ8E9QcwtzH+gTBxnlimMb8GVNVOaj7g0EgVZ+p8VI:I0g9mg67h7JO9E9YzewxnlelOq8s+p86

    Score
    3/10
    • Target

      $PLUGINSDIR/AccessControl.dll

    • Size

      8KB

    • MD5

      65d017ba65785b43720de6c9979a2e8c

    • SHA1

      0aed2846e1b338077bae5a7f756c345a5c90d8a9

    • SHA256

      ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

    • SHA512

      31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

    • SSDEEP

      96:18YNfTAJj9KMMVSyPg8uxZAQ/zdVJF/mSsQwV6i8zRRxqBt/FZTIVe7/cIH8ykeO:1XwKMMfPuxJ/zb+b6fR+bZEwywQ9

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      $PLUGINSDIR/ExecDos.dll

    • Size

      5KB

    • MD5

      0deb397ca1e716bb7b15e1754e52b2ac

    • SHA1

      fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

    • SHA256

      720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

    • SHA512

      507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

    • SSDEEP

      96:J++xDiP4p7t7dNOt3stxtRFFXxGD6qxlnKE6ttdH3r3:Rx9pJ7jQs5toD6Cln/6tt1

    Score
    3/10
    • Target

      $PLUGINSDIR/IpConfig.dll

    • Size

      118KB

    • MD5

      a75e3775daac9958610ce1308e0bca3b

    • SHA1

      d83ce354cde527c2e20fb425415f6d4795dd4cd4

    • SHA256

      fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

    • SHA512

      48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

    • SSDEEP

      3072:oa/4Ftm9rSlia00FW96LOsWNQmtQ9WVx95+tTIJ:t/4S9raiae8DSDtQ9W3utEJ

    Score
    3/10
    • Target

      $PLUGINSDIR/LogEx.dll

    • Size

      44KB

    • MD5

      0f96d9eb959ad4e8fd205e6d58cf01b8

    • SHA1

      7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

    • SHA256

      57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

    • SHA512

      9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

    • SSDEEP

      384:w4NSXFjXCATBAQR4F1Y5u6I3wa4W7KNP66BjLjyXB0JyuDchv8EnohgSil2X:woaF+ATCQye/I3KWmxj00Jyb8Enov

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    • Target

      $PLUGINSDIR/WmiInspector.dll

    • Size

      78KB

    • MD5

      b757cd400e19c6722e721e27a6db1cfd

    • SHA1

      2e07f3a7b036c3c263049af483721f88ecdb2c53

    • SHA256

      26c8981d7e3cd8093c40bb7da0c045e89f6dfc1a0888efaac9e22a555d763142

    • SHA512

      9e4675f380d7b79ac0c2f59c8b38663710798f8ee19233aabbd9f5ba81b74901c4f7c0e3d982ccca640ca240b631f889daad27160d3456ed7bb66ffe68e29e72

    • SSDEEP

      1536:0o0RUqYnecKBiygONayX2PYnyBN1yksAPvTbhKJB:0/LZiCwyCVPnhM

    Score
    3/10
    • Target

      $PLUGINSDIR/inetc.dll

    • Size

      31KB

    • MD5

      5da9df435ff20853a2c45026e7681cef

    • SHA1

      39b1d70a7a03e7c791cb21a53d82fd949706a4b4

    • SHA256

      9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

    • SHA512

      4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

    • SSDEEP

      768:FRci+9MscTJMR2+d8heiwhSruaFajMGbJDVVG08:Fg9sTJv+AVwhl25ci

    Score
    3/10
    • Target

      $PLUGINSDIR/md5dll.dll

    • Size

      6KB

    • MD5

      7059f133ea2316b9e7e39094a52a8c34

    • SHA1

      ee9f1487c8152d8c42fecf2efb8ed1db68395802

    • SHA256

      32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

    • SHA512

      9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

    • SSDEEP

      96:5mArJv6F3TqDmgK4ghEin1US36eHQZDUDgGogZcko5Nt4AMP:5XJ63LhR6inZ6dsgZkKQT

    Score
    7/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

discoverypersistencespywarestealerupx
Score
8/10

behavioral2

discoverypersistencespywarestealerupx
Score
7/10

behavioral3

upx
Score
7/10

behavioral4

upx
Score
7/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

upx
Score
7/10

behavioral16

upx
Score
7/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

Score
3/10

behavioral20

Score
3/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
3/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

upx
Score
7/10

behavioral32

upx
Score
7/10