General

  • Target

    ZAMOWIEN.EXE

  • Size

    1.4MB

  • Sample

    240522-n1a66aeh2w

  • MD5

    a7afb929a4be723fd2c352dad4197c6c

  • SHA1

    1357ae925d422ba0b98f14322e73de0cf88e6903

  • SHA256

    616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a

  • SHA512

    418fde024c04c7e17391d325f06eb0ff6b1ac3bda83e333749e824746688549972eab1a32799a78c24ed6c0df83369536c6d00a4d7b42e503a5c9bdb016e7d7f

  • SSDEEP

    24576:yn25nPkW3amy8sQxeWcktTjbJ4/auDyEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKr:yn2kGy7wTjbq/DyEEEEEEEEEEEEEEEEm

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

    • Target

      ZAMOWIEN.EXE

    • Size

      1.4MB

    • MD5

      a7afb929a4be723fd2c352dad4197c6c

    • SHA1

      1357ae925d422ba0b98f14322e73de0cf88e6903

    • SHA256

      616441c74c95a52ec38217d221e79cee12ec87dc0e7276059b5be1274382dd5a

    • SHA512

      418fde024c04c7e17391d325f06eb0ff6b1ac3bda83e333749e824746688549972eab1a32799a78c24ed6c0df83369536c6d00a4d7b42e503a5c9bdb016e7d7f

    • SSDEEP

      24576:yn25nPkW3amy8sQxeWcktTjbJ4/auDyEEEEEEEEEEEEEEEEEEEETKKKKKKKKKKKr:yn2kGy7wTjbq/DyEEEEEEEEEEEEEEEEm

    Score
    10/10
    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks