Overview

overview

10

Static

static

10

xusa legit...hk.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xusa legit pack.rar

  • Size

    7.0MB

  • Sample

    240523-d38kbsce77

  • MD5

    8d8f0a322f54291fb97a900aff775783

  • SHA1

    6146c268553e9f81ce4829b37200a3895cbfbb7f

  • SHA256

    1cf3849b8461ed4ed41c3359ac0acc7de0719796d8466e764aed96f051ec305f

  • SHA512

    8696de14924f369821d521309d0885357f4f4d82772f0a6e55576971ff0ee80a877a9fbd394dd19234d780c193a30b103be2463792cde616375a1d646c68acc8

  • SSDEEP

    196608:ufkuftguRldDYJEalg3wbRxH58O9AnDtF7LGYq:ipf+ONO2wb53IXGV

Score
10/10
blankgrabberevasionexecutionspywarestealerupx

Malware Config

Targets

    • Target

      xusa legit pack/xusa main ahk.exe

    • Size

      7.2MB

    • MD5

      e6f4b47acf64714b2903c547fb2d982b

    • SHA1

      8105a5cb2b0872b6a584d017946b92a9581203a6

    • SHA256

      8e4e15ed72ebc7b53265240de73d68f677b185f225521f67f97b8858d2833416

    • SHA512

      24502b42698393e42bf84d8b31845d296770a3c5bdbac58eeebbfa3834a182ab902680cdae1284627cef51bcb181fc19f63bd17566589c3f3e8df5b81b6d9084

    • SSDEEP

      196608:Ur+WFbc/ueN/FJMIDJf0gsAGK5SEQRouAKFSCp:b/x/Fqyf0gsfNDAKb

    Score
    10/10
    evasionexecutionspywarestealerupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks