4418bd0d54b95f936e0ba5482abf1d4afbf2e3e8b62d0d99b0745ab089364965 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Downloads.rar
Size

30.0MB
Sample

240526-gvm57shd7z
MD5

fd5f560160d448933bfd6d12f97a7656
SHA1

2290f042add4137158d71d11b8bdaa9ea766fc8d
SHA256

4418bd0d54b95f936e0ba5482abf1d4afbf2e3e8b62d0d99b0745ab089364965
SHA512

a33fe0ae907dfdc963dec5bc11ac2974203b93bf25292b56b71c06793b0e775bdab38de1e39c98892fa5993f3e5c8d8ce8760e2ff94ded721eef86be8534a7fa
SSDEEP

786432:M6hpxYDWRi2wfe/29iP2+wRvBpMXKtrOCKQwkN/r6HQI5YoA4sr:rhzwm/29cyMaxTpzI5YXh

Score

7^/10

pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  VapeSS.exe
- Size
  
  12.9MB
- MD5
  
  52e4f04a36e1b177d50c459828a6187a
- SHA1
  
  6f3cbb760d9b659046136d7af75422825f713b13
- SHA256
  
  3c42994eb5810135749696ba46388a888b4ba35232b281a1528cc98cdfabc8c8
- SHA512
  
  1cd617265e5b9338bc02da96d208d79518df168e3b5ee6c57ba64cd5a2a85516e48dc0a0e99de503f45f0a8b121da6daffac45561aedca42b27254ced18f30c8
- SSDEEP
  
  196608:72qT4FMIZETSRjPePdrQJOKbABd1Wm8bMg4iGYPo1BWXOe0y5dHMlO:K8QETSRvJju1Wm8dGJ1AXFZdp
Score

7^/10

spyware stealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  klk.dll
- Size
  
  18.1MB
- MD5
  
  44b5e89a9f7bab889a4df60042872f17
- SHA1
  
  cfc40cd4fdbda75d3ed52952c500d8ccc12f4a36
- SHA256
  
  16745ae6670eba8a452a5e75fa6142564d31bd3b7d14766e04f1acb214f65703
- SHA512
  
  7f18545da3e4fa726ec33345f7dc137eedf4961a1bd0582b51ee2258a6d5a115187a4e72ec3c7b6d29e33b0a4aa2560adec1833b4bda3f00a7b194ea71d95188
- SSDEEP
  
  393216:kKRqNWNKROYkhkpXorNv+oXsDS3LNK3HOU6x0pW/lJktSrZPLAB:HANWKRrpYrNvou7NK3uU6E29dPL
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  lunar_qt.dll
- Size
  
  228KB
- MD5
  
  6d8c17c67970cb5841811eed8adffffc
- SHA1
  
  c869ab32318a035e51aff8e5e11b4cd25fb52a4f
- SHA256
  
  7c4234fac3b6b3e96dace1e71c7a952ec67e3839f90f7a88a9ea283bf88d25b8
- SHA512
  
  7d2a0ffcd72c8bf4a96b2ed722d7119749ec14f5d7e6a601cb6ae4a5b1c4a652b694158f01da340e3ca4751cabd0a56c42bf739d8b421e36937f3691b3b80c72
- SSDEEP
  
  3072:hXxN1I6PgabbAzVxPLI5oIa5amK/1o4ptgELHY1lNyc+m+e7P26g66OVuknsDe0u:hhN1GFZq/15tFc+m97ieuknsDu
Score

1^/10
behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3