General
-
Target
https://www.bing.com/ck/a?!&&p=5c30f52d13b65adbJmltdHM9MTcxNTkwNDAwMCZpZ3VpZD0xYWNhZDFkMi1mMmVjLTYwOTUtMjY3Yi1jNTUwZjNhYjYxYjMmaW5zaWQ9NTIwMg&ptn=3&ver=2&hsh=3&fclid=1acad1d2-f2ec-6095-267b-c550f3ab61b3&psq=mega+virus+maker&u=a1aHR0cHM6Ly9naXRodWIuY29tL2NpcGhlcjQ1MC9NZWdhLVZpcnVzLU1ha2VyL3JlbGVhc2Vz&ntb=1
-
Sample
240517-xs88naeb87
Malware Config
Targets
-
-
Target
https://www.bing.com/ck/a?!&&p=5c30f52d13b65adbJmltdHM9MTcxNTkwNDAwMCZpZ3VpZD0xYWNhZDFkMi1mMmVjLTYwOTUtMjY3Yi1jNTUwZjNhYjYxYjMmaW5zaWQ9NTIwMg&ptn=3&ver=2&hsh=3&fclid=1acad1d2-f2ec-6095-267b-c550f3ab61b3&psq=mega+virus+maker&u=a1aHR0cHM6Ly9naXRodWIuY29tL2NpcGhlcjQ1MC9NZWdhLVZpcnVzLU1ha2VyL3JlbGVhc2Vz&ntb=1
Score9/10-
Renames multiple (298) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-