a4fe243149098e686dc03949add7c5d643ef17cc8357bd566a884107ac8b502c

General

Target

wZ94mZ.exe
Size

9.5MB
Sample

240514-1rcpvaaf59
MD5

9ed3af21985edc2b5563b506369a5e44
SHA1

61a2e47af955690c976699a36892093312c0282c
SHA256

a4fe243149098e686dc03949add7c5d643ef17cc8357bd566a884107ac8b502c
SHA512

a0d9584ec811623c3e7aadcba2dd63de82b301bfe0e7b85a0094c90982563ef1b2dd19a3be61aa02095dc3a3e875d1342f65f0e38d83b7190c381d059568921b
SSDEEP

98304:GVw+GrhM4J/nQHoQI8L6ts7JSe+1uEDPEEPxGhM/7f:QqhM4RnQHKLDf2M/7

Score

8^/10

Malware Config

Targets

- Target
  
  wZ94mZ.exe
- Size
  
  9.5MB
- MD5
  
  9ed3af21985edc2b5563b506369a5e44
- SHA1
  
  61a2e47af955690c976699a36892093312c0282c
- SHA256
  
  a4fe243149098e686dc03949add7c5d643ef17cc8357bd566a884107ac8b502c
- SHA512
  
  a0d9584ec811623c3e7aadcba2dd63de82b301bfe0e7b85a0094c90982563ef1b2dd19a3be61aa02095dc3a3e875d1342f65f0e38d83b7190c381d059568921b
- SSDEEP
  
  98304:GVw+GrhM4J/nQHoQI8L6ts7JSe+1uEDPEEPxGhM/7f:QqhM4RnQHKLDf2M/7
Score

8^/10

persistence execution spyware stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2