Resubmissions

05-05-2024 08:20

240505-j8fdmafc72 3

05-05-2024 08:08

240505-j1q56abh6w 10

General

  • Target

    custombuildnl.fr_1.exe

  • Size

    33.2MB

  • Sample

    240505-j1q56abh6w

  • MD5

    3b2b7e806989b481aeb8a71eb95c9e9e

  • SHA1

    dd1d80a59120aeaaa1239c05cf385579226747f7

  • SHA256

    56e17b8f1e7d3348d2c8730369594171547017906ffd95109dc2ec8da127ca48

  • SHA512

    9c4936b8b82092897f877825b6b6275b075f81a02bf0326792ecd393f3d839495ccb4422d2d55b95f35d5f509f59ff540e46826d7ddcbcb2f5d76d08eb759f00

  • SSDEEP

    786432:1dM77JXb1ukCDeE6q+m5jVagaIQm2q+L5+u9Y2KN:1dI1EDX6q3Am2F3K

Malware Config

Targets

    • Target

      custombuildnl.fr_1.exe

    • Size

      33.2MB

    • MD5

      3b2b7e806989b481aeb8a71eb95c9e9e

    • SHA1

      dd1d80a59120aeaaa1239c05cf385579226747f7

    • SHA256

      56e17b8f1e7d3348d2c8730369594171547017906ffd95109dc2ec8da127ca48

    • SHA512

      9c4936b8b82092897f877825b6b6275b075f81a02bf0326792ecd393f3d839495ccb4422d2d55b95f35d5f509f59ff540e46826d7ddcbcb2f5d76d08eb759f00

    • SSDEEP

      786432:1dM77JXb1ukCDeE6q+m5jVagaIQm2q+L5+u9Y2KN:1dI1EDX6q3Am2F3K

    • MilleniumRat

      MilleniumRat is a remote access trojan written in C#.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks