2c2ba49344c77b9dfa0f52c0098b7ec6eb90d118c620ba161cd14af447427890 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

16501a177497cb8f84b87ba8adfb0b40_NeikiAnalytics
Size

220KB
Sample

240510-13y28ace6t
MD5

16501a177497cb8f84b87ba8adfb0b40
SHA1

ecf4e2f74b509aca27db34840538f87a22e74cc6
SHA256

2c2ba49344c77b9dfa0f52c0098b7ec6eb90d118c620ba161cd14af447427890
SHA512

74f099be591ee5835e8cb1c1bf0b343fcbbae1a00033c827b811823bae575e3d16b513df6f565cd62d5c87a5161b748229b3a2ee15e8ac2167347dfda203ee3e
SSDEEP

3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRm0:ZR5IuMQoseGk7RZBGxAycKpSPX27

Score

10^/10

evasion persistence spyware stealer

Malware Config

Targets

- Target
  
  16501a177497cb8f84b87ba8adfb0b40_NeikiAnalytics
- Size
  
  220KB
- MD5
  
  16501a177497cb8f84b87ba8adfb0b40
- SHA1
  
  ecf4e2f74b509aca27db34840538f87a22e74cc6
- SHA256
  
  2c2ba49344c77b9dfa0f52c0098b7ec6eb90d118c620ba161cd14af447427890
- SHA512
  
  74f099be591ee5835e8cb1c1bf0b343fcbbae1a00033c827b811823bae575e3d16b513df6f565cd62d5c87a5161b748229b3a2ee15e8ac2167347dfda203ee3e
- SSDEEP
  
  3072:YsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwRm0:ZR5IuMQoseGk7RZBGxAycKpSPX27
Score

10^/10

evasion persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

evasionpersistencespywarestealer