Overview

overview

10

Static

static

10

Cleaners/a...er.exe

windows10-2004-x64

9

Cleaners/a...rm.exe

windows10-2004-x64

7

Cleaners/clean1.bat

windows10-2004-x64

5

Cleaners/clean2.bat

windows10-2004-x64

4

Cleaners/clean3.bat

windows10-2004-x64

1

Cleaners/clean4.bat

windows10-2004-x64

1

Cleaners/clean5.bat

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cleaner.rar

  • Size

    17.9MB

  • Sample

    240508-1s8tnshe8w

  • MD5

    a5771ca0c51bc0214cdca8388fd8b9b3

  • SHA1

    cfcbe15396b36f92377511926fe08ddacdd66def

  • SHA256

    af087e44b9920b0dd59aac8a366a167d5f5457e608b6616450d73956294a9500

  • SHA512

    10bbbdcba9fc259d763163f50a0878e1d9a2866fbfe11f7cf4936d658b35863e69934aa8be9e2e5b27b83ca038f4a6e1b857b2d49e4506bcec57a1c2711b09a7

  • SSDEEP

    393216:qxsxQP6Z84bdg2IemDJHyHfvS5DyKnot2OTuL9Z9OEpr4h+nTXRbpxLC2wzNGURD:XxE084bdgsm359n49GZ9OEpC+znxLStH

Score
10/10
crealstealerevasionpyinstallerspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      Cleaners/applecleaner.exe

    • Size

      3.6MB

    • MD5

      f96eb2236970fb3ea97101b923af4228

    • SHA1

      e0eed80f1054acbf5389a7b8860a4503dd3e184a

    • SHA256

      46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    • SHA512

      2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    • SSDEEP

      98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      Cleaners/applecperm.exe

    • Size

      14.3MB

    • MD5

      9405b56af4d2bd0546ed27ed1d68b1ab

    • SHA1

      8c7d5c8563f621c2cffafc9ccd4a156cfb7ec8f8

    • SHA256

      6e997d7cdd07a8c173b569bedda6aaaf1b5ac10e5391a98c2f4593c5fc284b30

    • SHA512

      96c6b04730ba00d6ba1bc6f90fa1e484594a39fd83b4c22a2b8646cfb1220c20cf5dc819e63ef3100ca66a3c302eb00b1d3b564e034d34b7995c20c9befc21d4

    • SSDEEP

      393216:aiIE7YoPQMidQuslSq99oWOv+9fgEIlIQvew:D7rPQ3dQuSDorvSYEIpvf

    Score
    7/10
    spywarestealer

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      Cleaners/clean1.bat

    • Size

      578KB

    • MD5

      471546f6de675803f384262a9d0d17de

    • SHA1

      da7ae8fc83f5feee8bf16517f04fbc20d8b61cfa

    • SHA256

      880dc9c7a7291a729d4ce07bc300d90665f262834cfb6501505ab3061b7a06dc

    • SHA512

      010d32d05ee599f67b036d1852d8deac0422d168ed68ad4b5147bb858252f348b882d563efd087922b474915ada9c39852c25e569de408bdd4a4d6fb7ebefbbb

    • SSDEEP

      1536:5iYLmcHjgkpYLmcTzg8gcDRnvplQL5LvLpLjLwazhztzh4Wo:gYScH9YScTzg8gURnvpWzhztzhDo

    Score
    5/10

    • Drops file in System32 directory

    behavioral3

    • Target

      Cleaners/clean2.bat

    • Size

      854KB

    • MD5

      181b6db3092989609f7878c4e51aa220

    • SHA1

      c2f2eb7aa2ad301f76598164daaf04574846c58d

    • SHA256

      798f56c1a6e8f546d57386f93fba2c138b687a002c89535e114ceb938a33970d

    • SHA512

      e9ebfa63520d9b00516deb11cdfda317fcb8edeafb453001ee999ba0bfb06f0b80ff026ba5b80fe8d78d80313501e814f94070de5dfcbcba8d131591ea37ba4f

    • SSDEEP

      6144:XtJlSvOPgunY1X7G4LsMrkDWUpWOlBkORX:9qvOPgunY1K4LsMrkDWUpWOlBkORX

    Score
    4/10
    behavioral4

    • Target

      Cleaners/clean3.bat

    • Size

      343KB

    • MD5

      3de20f421e4b66e61c52633f5207d81c

    • SHA1

      91e2413af1bef8e7739d2185f4c69b4e11b35914

    • SHA256

      2c36eb24e6479bb955c04569b6cf9d30a8ac9a56fe15cb65a7ff24709b8ea021

    • SHA512

      94cad8e43aa70cd5f222f4d6997360b0ae7c2f3b89b5ef1244dd8b5f7825da6ab724ba8ead5aa3a1b04ffb5e6650787424226cc4f31602cf45112dd577dc1492

    • SSDEEP

      1536:7Z/gxTrKL5LvLpLjLwO6WTaPAyz7AeOreL5LvLpLjLwmD7o0PeEJJPMCO:7VgxTr4+PBz7AeOrKo0PA

    Score
    1/10
    behavioral5

    • Target

      Cleaners/clean4.bat

    • Size

      853KB

    • MD5

      d4c34b33b42ce1a0aa1227fa3a768124

    • SHA1

      796606e45d27fd332c6143f6f09cef3c8a522493

    • SHA256

      d2f5b505cd5a6baaabb9d1f51f6b5800139034db44e220f83b44cd66b3197b38

    • SHA512

      33ffd3944bfe182cfcd9f40bb73af997db37692f6a769953e931af24acbebaa2a698254860fc2095cd507d84a2437907016cc8d1bd3614cf6899f6428ef86ff1

    • SSDEEP

      6144:5tJVSIIgunYMX7GmOgDsMrODuUpW/kBkOR1:X6IIgunYMKmOgDsMrODuUpW/kBkOR1

    Score
    1/10
    behavioral6

    • Target

      Cleaners/clean5.bat

    • Size

      275KB

    • MD5

      2b043c717d3e6336adfdd1cb074bbe88

    • SHA1

      c08abb3f64f9e22a73d9e7032a49448a0180d7c2

    • SHA256

      709731808b76e8cb0c479131c862281ca9bc611cf6936b0af195feb2320fd1c2

    • SHA512

      e9967d207fdb6cf8e6d17481f4daa9acf76f9a11bcb71bb7bddaf44a54416eadbedc43c6ba31e93cb9b1512cb316a41ec3062c6d7e2794a01233ee8d3bd739d2

    • SSDEEP

      768:5WvY2SxOgxaLobPjlP0RnFGwJh7hbPEPdrdHTL9KEJm/R450O1vNZmVWnrfrdPwh:5ge1mIbrd1w04g/36fL5LvLpLjL5KL2v

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

8
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks