Overview

overview

8

Static

static

1

whats.exe

windows7-x64

8

whats.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WhatsApp (1).zip

  • Size

    8.8MB

  • Sample

    240523-k5gmysbf66

  • MD5

    0983e3f94c2f14cca5c3ffa3d9f419ba

  • SHA1

    20e2868857466e3b35bc734ac9eb950968dd5a7b

  • SHA256

    e99f6eee7ef846bb809c51a3df5e6c4d7629d85c5a7a44939545c57ffae401fa

  • SHA512

    7371d178a7b6f7e166121a99f2e8208ebe66e4e1102887839e8833f555c63f0781fc67ccc7ea115bcda348165accf4589636b7e803f3335bbd63e715d35bd36d

  • SSDEEP

    196608:iXtBH7h7KQ1Z/hqkEAoAEvLgrzZQhLM5jnndq5kMlsIlVA2OYyduhnjLZGOjBrmj:idRTXA88g4LMW5PsIlgYXjLIOjxmj

Score
8/10
discoverypersistencespywarestealerupxvmprotect

Malware Config

Targets

    • Target

      whats.exe

    • Size

      12.1MB

    • MD5

      ff9ad3e1150b2a99335ab5e295513062

    • SHA1

      9ef477c731e01214f76e4f6161b2b09d92c4fc33

    • SHA256

      b3f70a8027e35c91ad1a18f7176a29f755bba27b20ace5159e5b784c7dab4443

    • SHA512

      5ffd609ba0e0d9b6b3aa029eca7083a1fce286a4f3db1dfefb114e48d33ce16fb1e53834c19a83c5909a1e71aa5f1668ac2760516770517805654397684b533b

    • SSDEEP

      196608:CNESzoOoT8GyziDMqM4mUFBgFzBQDjMPDt7xqxWM/QstP4imicl69ppdJWs4dJ2k:sfz68FEeIgajMCxLQstIifHd4s4T2k

    Score
    8/10
    discoverypersistencespywarestealerupxvmprotect

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Defense Evasion

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

6
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks