General

  • Target

    geekcatpingreducer.rar

  • Size

    7.3MB

  • Sample

    240526-235ensgd38

  • MD5

    1b96562a7c2d928d64cf9d0be827d1f0

  • SHA1

    cf4cf037a15e07a54756f42c5cc016be5b294fb1

  • SHA256

    ae03008ff5951f70aaac1dc39b90cf0b3ce5b5e47d646358ab22c6885a8ce683

  • SHA512

    acd1f8712a515a262cd44ae3c0f848d68fd07bd888617f6bb4a36835980435391006df9ff175e1eddc17f96646df3e1f5c6e7ed80e03ef635299acd9f2155dc4

  • SSDEEP

    196608:5giA4i1xM0WIwaLCeowJUyux6gFNWgRobvfDZJ:Cki1WCLCX8HskgmjZJ

Malware Config

Targets

    • Target

      geekcatpingreducer.exe

    • Size

      7.5MB

    • MD5

      f8c63eca8b26883c30d2240008b07150

    • SHA1

      ccfe5cf24b93114ceb5eca37d9412d3d5c9abd51

    • SHA256

      1bbd2b8817ad1726c8bcc7a13611164010bf04f70527e0bc61c2e408c23330f4

    • SHA512

      8b8f31931bc58dbefbaf74ca6072cdc91993eb5bfc2a683725939e44d935a5af53bf61a1fcfba4b061c362ad51b9efc45adffb94344cbf3806595272848d7f70

    • SSDEEP

      196608:ar97YS6Kc5OshoKMuIkhVastRL5Di3uh1D7J9:CYS85OshouIkPftRL54YRJ9

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks