General

  • Target

    9373eeeb7d7a9c065afb641da6689c9d1982e949f6b6e5d7d228fbee397b83f0.zip

  • Size

    3.0MB

  • Sample

    240501-p9yjgshe55

  • MD5

    e75db1bb62b649d248d7696133d7bed3

  • SHA1

    fb6de8339ea911354215470a98387ea3c4e47261

  • SHA256

    db1aaf575d982c2d2326ef8731d7960b7f0cbf3a70c19d71d4a18aa96b159be8

  • SHA512

    611828631425e062e2802ee7dbb36b3f7a9eeb1798d8d169dc716b0072adf99f48c966454d2be95839e35194cd141f73e61c65e12416bc82967933e8c17033f3

  • SSDEEP

    49152:TPS5451yufLFFFM+ZIBbMIQ5Tb4Zu7Go08gN1oB0sX+z4kPQGoJT0mc:W41yuDFFFM+wb3w4zo6vEuzFEJT3c

Malware Config

Targets

    • Target

      9373eeeb7d7a9c065afb641da6689c9d1982e949f6b6e5d7d228fbee397b83f0.exe

    • Size

      3.1MB

    • MD5

      2bfbd889530f526aa6833886723e7fae

    • SHA1

      736e9f9229d6824ceb0e698debfa91244be827c1

    • SHA256

      9373eeeb7d7a9c065afb641da6689c9d1982e949f6b6e5d7d228fbee397b83f0

    • SHA512

      9b65d29a5d728e6caa14c0a53579b7ad9cd0c55e91390244b14fd933d027a2d7344b0856f3de2734326737533a0555c28e028131975f0da0a4dcbe19399fc5ee

    • SSDEEP

      98304:aaPb0LlPVs6Ccyq2DbrorXfGEdOq9FYz:aMwZNsTc52D/orXhdDFW

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks