blankgrabber | 1cf3849b8461ed4ed41c3359ac0acc7de0719796d8466e764aed96f051ec305f | Triage

Submit
Reports

Overview

overview

Static

static

xusa legit...hk.exe

windows10-1703-x64

Sharing

General

Target

xusa legit pack.rar
Size

7.0MB
Sample

240523-d38kbsce77
MD5

8d8f0a322f54291fb97a900aff775783
SHA1

6146c268553e9f81ce4829b37200a3895cbfbb7f
SHA256

1cf3849b8461ed4ed41c3359ac0acc7de0719796d8466e764aed96f051ec305f
SHA512

8696de14924f369821d521309d0885357f4f4d82772f0a6e55576971ff0ee80a877a9fbd394dd19234d780c193a30b103be2463792cde616375a1d646c68acc8
SSDEEP

196608:ufkuftguRldDYJEalg3wbRxH58O9AnDtF7LGYq:ipf+ONO2wb53IXGV

Score

10^/10

blankgrabber evasion execution spyware stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

xusa legit pack/xusa main ahk.exe

Resource

win10-20240404-en

evasion execution spyware stealer upx

windows10-1703-x64

19 signatures

1800 seconds

Malware Config

Targets

- Target
  
  xusa legit pack/xusa main ahk.exe
- Size
  
  7.2MB
- MD5
  
  e6f4b47acf64714b2903c547fb2d982b
- SHA1
  
  8105a5cb2b0872b6a584d017946b92a9581203a6
- SHA256
  
  8e4e15ed72ebc7b53265240de73d68f677b185f225521f67f97b8858d2833416
- SHA512
  
  24502b42698393e42bf84d8b31845d296770a3c5bdbac58eeebbfa3834a182ab902680cdae1284627cef51bcb181fc19f63bd17566589c3f3e8df5b81b6d9084
- SSDEEP
  
  196608:Ur+WFbc/ueN/FJMIDJf0gsAGK5SEQRouAKFSCp:b/x/Fqyf0gsfNDAKb
Score

10^/10

evasion execution spyware stealer upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

evasionexecutionspywarestealerupx

© 2018-2024

Terms | Privacy