General

  • Target

    2024-05-26_e7b3c4b0143fefcba773b882295f4d0c_snatch

  • Size

    7.9MB

  • Sample

    240526-ekcwdaeh47

  • MD5

    e7b3c4b0143fefcba773b882295f4d0c

  • SHA1

    bb82236fa1272ab513797d260db1c80fc3fd5a79

  • SHA256

    f5d6b6c8f39e8377904750b48716512e7d39692e91a4c67ebcc6794b7ba9643b

  • SHA512

    2c2bb7ce2d6d5d5348ee9ea6ce5e5bf233396ec71ce83597c4758eeb7c980fbf9b35ed71cf45c11369f501a7698833de3eb7c2228f9d6e2b409a8103570497aa

  • SSDEEP

    98304:G5GBAoXeLfR3EIQEYDylgM4MYEm2/lUA8+w7QhV+lS4:woXeLCI5QMYEmcUA8+Bf+lS

Malware Config

Targets

    • Target

      2024-05-26_e7b3c4b0143fefcba773b882295f4d0c_snatch

    • Size

      7.9MB

    • MD5

      e7b3c4b0143fefcba773b882295f4d0c

    • SHA1

      bb82236fa1272ab513797d260db1c80fc3fd5a79

    • SHA256

      f5d6b6c8f39e8377904750b48716512e7d39692e91a4c67ebcc6794b7ba9643b

    • SHA512

      2c2bb7ce2d6d5d5348ee9ea6ce5e5bf233396ec71ce83597c4758eeb7c980fbf9b35ed71cf45c11369f501a7698833de3eb7c2228f9d6e2b409a8103570497aa

    • SSDEEP

      98304:G5GBAoXeLfR3EIQEYDylgM4MYEm2/lUA8+w7QhV+lS4:woXeLCI5QMYEmcUA8+Bf+lS

    • Detects executables Discord URL observed in first stage droppers

    • Detects executables referencing combination of virtualization drivers

    • Enumerates VirtualBox DLL files

    • Looks for VirtualBox drivers on disk

    • Looks for VirtualBox executables on disk

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare drivers on disk

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks