8bdeb5a9779798cb13a29fe7e54751dafa6ef70fa3a4e16069ea3c77442732cf | Triage

Sharing

General

Target

8bdeb5a9779798cb13a29fe7e54751dafa6ef70fa3a4e16069ea3c77442732cf
Size

222KB
Sample

240502-alxvqabd2w
MD5

7a87f03a89b15ce00d59a490d76fb4f9
SHA1

2d2afca75d0c840bd215f6d22c7ed53c6c4a02df
SHA256

8bdeb5a9779798cb13a29fe7e54751dafa6ef70fa3a4e16069ea3c77442732cf
SHA512

e6de9ee9af6dd1fce4da8067d73111d217f85e61b793a77961968d783b9915fc592b7ce1776bab9f15aeee24363d925be86f861f50abab6477527494c5155c09
SSDEEP

3072:YsXRmUIMitPMQLse27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlm2:ZR5ITMQLseGk7RZBGxAycKpSPX21

Score

10^/10

evasion persistence spyware stealer

Malware Config

Targets

- Target
  
  8bdeb5a9779798cb13a29fe7e54751dafa6ef70fa3a4e16069ea3c77442732cf
- Size
  
  222KB
- MD5
  
  7a87f03a89b15ce00d59a490d76fb4f9
- SHA1
  
  2d2afca75d0c840bd215f6d22c7ed53c6c4a02df
- SHA256
  
  8bdeb5a9779798cb13a29fe7e54751dafa6ef70fa3a4e16069ea3c77442732cf
- SHA512
  
  e6de9ee9af6dd1fce4da8067d73111d217f85e61b793a77961968d783b9915fc592b7ce1776bab9f15aeee24363d925be86f861f50abab6477527494c5155c09
- SSDEEP
  
  3072:YsXRmUIMitPMQLse27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlm2:ZR5ITMQLseGk7RZBGxAycKpSPX21
Score

10^/10

evasion persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

evasionpersistencespywarestealer