General

  • Target

    freedom-patch-128122.exe

  • Size

    4.8MB

  • Sample

    240515-ntlz3sff3y

  • MD5

    8f24135b82683e2213db30adc4fb896d

  • SHA1

    593748ef90830147919164f089af67dccdae19d4

  • SHA256

    dad5ddd145ca40d72c91e6eb6a498ca077f1023057fa5dcbd9a1effbd6c78d54

  • SHA512

    9c82a7dc4757d03f0781bdf43ae8814a8e401e9a391fbf19dc53e79c89bbdd1d153e04824dac234acd4a47455ad8fe2ccd73ecbf56c769dfebcef5468aa5ab7b

  • SSDEEP

    98304:Zn927L7OUktystJR0rh+M7TaIDSa0817mZsJ/BpF+WBP1gEtJ:Zn9kfOUkostJRG+M7WIi8RmqF7Bd

Malware Config

Targets

    • Target

      freedom-patch-128122.exe

    • Size

      4.8MB

    • MD5

      8f24135b82683e2213db30adc4fb896d

    • SHA1

      593748ef90830147919164f089af67dccdae19d4

    • SHA256

      dad5ddd145ca40d72c91e6eb6a498ca077f1023057fa5dcbd9a1effbd6c78d54

    • SHA512

      9c82a7dc4757d03f0781bdf43ae8814a8e401e9a391fbf19dc53e79c89bbdd1d153e04824dac234acd4a47455ad8fe2ccd73ecbf56c769dfebcef5468aa5ab7b

    • SSDEEP

      98304:Zn927L7OUktystJR0rh+M7TaIDSa0817mZsJ/BpF+WBP1gEtJ:Zn9kfOUkostJRG+M7WIi8RmqF7Bd

    • Detects PlanetStealer

    • PlanetStealer

      A heavily obfuscated golang based stealer.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks