General

  • Target

    Boendet.docx

  • Size

    21.7MB

  • Sample

    240520-jw6eaaag96

  • MD5

    14b980a65c7501e12ccfecd9bf55cb16

  • SHA1

    7bf794b9b674f5946eadb8e07a01d6aaeb337d7f

  • SHA256

    a91345c766f145d47d6deb90c3ae9d920f28101e12e39d93e88e3612eaf07329

  • SHA512

    a6758a6617f420ac3a49bbfbb055f43a2d5fbfa3611030e359d6ff788b7276f4c005a0e04c9cbc776dcf02e0ddc30b6bb55d1c8758b1822ad6e3cc612a54a504

  • SSDEEP

    393216:9/K/AmXAr22JMg1Ml30SRiGHVdrc5nw0DxTceN+ujRIT++9kkG:4/Ar2XRiSdrc5w0DxTb3RITBeN

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Targets

    • Target

      Boendet.docx

    • Size

      21.7MB

    • MD5

      14b980a65c7501e12ccfecd9bf55cb16

    • SHA1

      7bf794b9b674f5946eadb8e07a01d6aaeb337d7f

    • SHA256

      a91345c766f145d47d6deb90c3ae9d920f28101e12e39d93e88e3612eaf07329

    • SHA512

      a6758a6617f420ac3a49bbfbb055f43a2d5fbfa3611030e359d6ff788b7276f4c005a0e04c9cbc776dcf02e0ddc30b6bb55d1c8758b1822ad6e3cc612a54a504

    • SSDEEP

      393216:9/K/AmXAr22JMg1Ml30SRiGHVdrc5nw0DxTceN+ujRIT++9kkG:4/Ar2XRiSdrc5w0DxTb3RITBeN

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Modifies Windows Defender Real-time Protection settings

    • Modifies visiblity of hidden/system files in Explorer

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Sets DLL path for service in the registry

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks