General

  • Target

    2024-05-15_04d79f61648498cb9738cc7ef907f640_ngrbot_snatch

  • Size

    11.8MB

  • Sample

    240515-1lgfvadg78

  • MD5

    04d79f61648498cb9738cc7ef907f640

  • SHA1

    2e2523bb6adb6b3134278969de9cee511c512ade

  • SHA256

    135211ce32a3f602fac3f965ee195cc679d413bb3cb1d7ebf3a43f41e6f6104d

  • SHA512

    78f7e6b70836ec0cd91c31afd4cf28a0abfc07624da62ab243dc379d9c2e757017172982159e87e518bf31ddd5cb06a673742ac0affd65fb283326ecb337cde1

  • SSDEEP

    98304:ce/Ug30aM7wKnCZ714shyP4AduL3EFDY1pqxu/CRjZNlZbp4vHzz:cTy0aM4qshWdU0FD2pqfZxKzz

Malware Config

Targets

    • Target

      2024-05-15_04d79f61648498cb9738cc7ef907f640_ngrbot_snatch

    • Size

      11.8MB

    • MD5

      04d79f61648498cb9738cc7ef907f640

    • SHA1

      2e2523bb6adb6b3134278969de9cee511c512ade

    • SHA256

      135211ce32a3f602fac3f965ee195cc679d413bb3cb1d7ebf3a43f41e6f6104d

    • SHA512

      78f7e6b70836ec0cd91c31afd4cf28a0abfc07624da62ab243dc379d9c2e757017172982159e87e518bf31ddd5cb06a673742ac0affd65fb283326ecb337cde1

    • SSDEEP

      98304:ce/Ug30aM7wKnCZ714shyP4AduL3EFDY1pqxu/CRjZNlZbp4vHzz:cTy0aM4qshWdU0FD2pqfZxKzz

    • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables Discord URL observed in first stage droppers

    • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

    • Detects executables containing URLs to raw contents of a Github gist

    • Detects executables containing possible sandbox system UUIDs

    • Detects executables referencing virtualization MAC addresses

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks