Resubmissions

13-05-2024 14:58

240513-sb9qmsca98 10

09-05-2024 13:14

240509-qgmryseb83 10

General

  • Target

    EOSTATE_Exposure_Client-x64-Setup.exe

  • Size

    408.0MB

  • Sample

    240513-sb9qmsca98

  • MD5

    69d005fc36c4f68edc113da0eb8099d9

  • SHA1

    bcf3da5d461b0aa07e4f3fe2c1911c0d8af5fb58

  • SHA256

    38a53fcf837bef903a5fe590312a8c1f0f7988864c7b7576752569f6a62a4d88

  • SHA512

    05ee3f68265c8461e93e5a996bb3b91ef612a054eb1730b4955ec13b6a096d785d5d7b296c52d766419a57d279b2ce69e5709a4271687f16af06e64885044c33

  • SSDEEP

    12582912:F0H9cqAhsKOz/uvqDDNxvqdN0PHXQvnDd5fV9641Q70Uhd:09FALOzAq3idN0PgbzNc41Q7Vhd

Malware Config

Targets

    • Target

      EOSTATE_Exposure_Client-x64-Setup.exe

    • Size

      408.0MB

    • MD5

      69d005fc36c4f68edc113da0eb8099d9

    • SHA1

      bcf3da5d461b0aa07e4f3fe2c1911c0d8af5fb58

    • SHA256

      38a53fcf837bef903a5fe590312a8c1f0f7988864c7b7576752569f6a62a4d88

    • SHA512

      05ee3f68265c8461e93e5a996bb3b91ef612a054eb1730b4955ec13b6a096d785d5d7b296c52d766419a57d279b2ce69e5709a4271687f16af06e64885044c33

    • SSDEEP

      12582912:F0H9cqAhsKOz/uvqDDNxvqdN0PHXQvnDd5fV9641Q70Uhd:09FALOzAq3idN0PgbzNc41Q7Vhd

    • Modifies firewall policy service

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets file execution options in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks