General

  • Target

    PH Spoofer1.1.rar

  • Size

    276KB

  • Sample

    240428-xbbk3aea96

  • MD5

    d46c6c089d13ccf6229652b06528dd3c

  • SHA1

    b74d7ddebe175743d1e08c2d1eecc68276867a3e

  • SHA256

    f6199fe0c5630f73c0cd588e71626ab8552fb312e90e441bbe6f1ebd50bc7ccb

  • SHA512

    23fd13b6202281e441056030d5263da048c21f07b0b9da8ac877233527ffd5051dc8b9d9f2611785c29f3dd8d1c2407072a73ded1f5cd4514dc92c580a68197b

  • SSDEEP

    6144:imsx6QtGXsc1xFQzWjlSSyafb+tQTywrubNyIMQ2i+eWq7:imX7dkWBS+b+tdwrubNyI5L+C

Malware Config

Targets

    • Target

      Cleaner1 RUN ALL AS ADMIN.bat

    • Size

      4KB

    • MD5

      ccf667986586fc0ee3a0898629a36ede

    • SHA1

      6ffaec4689d257344f8edd02d44d8388280fb162

    • SHA256

      ca7dfbc65c1fde66413b5dd06f763cbe6b8be78c2a3b88030ccd5dfac23c07df

    • SHA512

      3e7f9b8df4c455595b57c18917ab9092f5cbd08545116788bcfa709e9edc79c36dae51493da7dc19ba04f69067a420755379a5b11a73205bd05b569f3c0c7ff3

    • SSDEEP

      48:5eB5uGLW8FktI/JHeUsY200qfDTfbi5t2Qzt2Nt2QVt2ttUFt2AAt2Aop+RAULJY:oHeZY2ELTTqMQPdwYrOPT

    Score
    8/10
    • Modifies Windows Firewall

    • Deletes itself

    • Target

      Cleaner2.bat

    • Size

      22KB

    • MD5

      691a8da53eac534e67dd0a1afd8d7829

    • SHA1

      fe9754ea0817ab1c3b43c3541ec0b8b5fb551aea

    • SHA256

      6d8474b60f28ee629a8b0eae25cc8c214d2e45c23e64445105389b530b535819

    • SHA512

      667193eee3fceb28c9fdce6017938d87d0666948cee6abe46f36e92055781e30d8e39d3835fcf7d8350f560873065c958e7e0c58aee242f770beade3be27d6f6

    • SSDEEP

      96:tVeN1ZifiB1ifIXi4C4AySST5bWV7oJnJdwTK4hS9X4V4j4V4z5Rg51fH84f/vWo:OZifinifILh9aswTthIIhU0

    Score
    7/10
    • Deletes itself

    • Target

      Cleaner3.bat

    • Size

      162KB

    • MD5

      8c3967f9be32e3f7d07ee878e1794c13

    • SHA1

      4b0d632fd8f3d30147f4a5721e6fdfb0b0b470b7

    • SHA256

      11699f90d4533162a3b7ad620b61a9745a9a06989c3b93b217cd10dec64fb0ad

    • SHA512

      55519fabada9285bd96d043f3128a6ed4dffad624359c47b27342fe63e0e6f24d9cd35f1a7488da627f68146d4d803ee1e4e946384f62f5a1c32c4599d2ff9d4

    • SSDEEP

      768:xlkTPz5U3/D35lU14IYIXZBMjmgPBpszWQP54Iq5Knz5U3/D35lU14IYIXZBMjmB:Azhzp

    Score
    1/10
    • Target

      Cleaner4.bat

    • Size

      111KB

    • MD5

      7d29dc3ace16b45ae3b437cf8aa7d65f

    • SHA1

      fbcfde13c5522d808c321c58291cfa962f104655

    • SHA256

      317142fae707cbac948083d56b1163aa5a6a1b9270031d9e49ea79214ebe99ef

    • SHA512

      333d36985afdbe68fbe455d3f59cbe6fc77b0669de44194e07ca28dece06505a1bd5c354ef132df70b936f7ba2740241046b75ab86afbd4728c0da5371e576d9

    • SSDEEP

      768:zo9R/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLg3:E9xg8gUDRnvplQL5LvLpLjLnC

    Score
    8/10
    • Modifies Windows Firewall

    • Deletes itself

    • Target

      Cleaner5.bat

    • Size

      867KB

    • MD5

      8ce83844fd35131310f9bd0d5e6ff7c7

    • SHA1

      c2c164594d00ce9d5ea1758f80a13686ee44b06c

    • SHA256

      95c12291d36d894bdf2c62aca840822226871ee2ed4f1653bf22fd96d183b6c5

    • SHA512

      1e18a4c8389000dc2f171d331de374a39911c2c51c4ab8e4cca9d425884ef2d0a3c38794fb15926836537a19c6d68d72718a45b38687f0579eff035b4a766a04

    • SSDEEP

      3072:UYScHNYScTzg8gvRnvpWyhytyhy6LfgCWcUWgM+4oH9q4gH9/142:TEwE6l142

    Score
    7/10
    • Deletes itself

    • Drops file in System32 directory

    • Target

      Cleaner6.bat

    • Size

      543KB

    • MD5

      9d39831f2328903820a7359ac3e479a8

    • SHA1

      2f2e720ed9b1462e5cdc8bc1d3a7e11fad6a887c

    • SHA256

      4769a969888d95e0594ac296c3b7cf593dbb26bd7d27a47dc2c59022c0675263

    • SHA512

      dad147bf672e4d0e69524e8103f715d133e21790ed7e3c065a02722e36c05e3e3dd9bac633da1b3eaa509a41caac46841261258478b9ad9c0aea7aea42d4204d

    • SSDEEP

      1536:/sq0dLLLlL7LBL7vXgjIcHwL7DZQLwUDOmE8i/0fj8l9q0dLLLlL7LBL7vXgjcUQ:rLcUFivZ7jvzYx8+9oNQ0OL+

    Score
    7/10
    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      Cleaner7.bat

    • Size

      253KB

    • MD5

      c26c52657c60cd9590dc11c8d6f563a5

    • SHA1

      7517d767b64d983fa28545dbedb76c937049e775

    • SHA256

      54ed81f8e76aba8298bd302f872b4e1bbabaee272575c39e0f18ddc23ad6c2f3

    • SHA512

      8844ec48ee632c59d4cd7421856e4cd160bdea86e4100fac72ae321cd6cb934352f85aaa3b727fd17a9e96c10592c013d44fe12d5850edfbc479df23b92cf00a

    • SSDEEP

      1536:VNoZxBOz2oCfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:UfgCW4UWgnh4oH9qzs

    Score
    8/10
    • Stops running service(s)

    • Deletes itself

    • Target

      MAC.cmd

    • Size

      2KB

    • MD5

      9bb3424ce0882c73682a407477af163e

    • SHA1

      c50786f19c4301d186db5fc1b56b8824013f1207

    • SHA256

      9c1cc4852d290f352f4ba6c6eca68a4ffb1fc19a514fbbda644855a7f23c0c61

    • SHA512

      f530673e63f10f684416624f53aeeda6430a552d2d32b776f026e42f34e28b7f9f19bc6c61298dfaf0b5e1c104ad681433997646a277f889c9af2df9cec601ce

    Score
    1/10
    • Target

      PH Spoofer.exe

    • Size

      309KB

    • MD5

      ae570e5768742a572e36ac8d999c03f5

    • SHA1

      9eabf7fdc94adeb65248f7593cd6f0abd1448ef8

    • SHA256

      7db7e8ba889c41199e657fa9d263c5f18830a35bab6b810e267baadae1d938ae

    • SHA512

      8f46023ad4b561f9fcec5c62eba6a384e95b07dca8baeadcce9bf3039a07fb9adc6f2312a386689d291dad26d8f1476b72d8f5f7bc6a62220683f3ef221552e0

    • SSDEEP

      6144:qKjViFkFl/AAGbFd1cUp3AJEFzqlOcWluW4bLcCCQvjQL85d:2rA6Bl7GcCCQvjQL4d

    Score
    9/10
    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks