cde708b755752e85111895dcc3490764b72f0b7f9eecb20bed90f1bbeabfbcf8 | Triage

Submit
Reports

Overview

overview

7

Static

static

3

Klar.gg_Lite.exe

windows7-x64

7

Klar.gg_Lite.exe

windows10-2004-x64

7

Sharing

General

Target

Klar.gg_Lite.exe
Size

21.8MB
Sample

240527-y2mlpahh64
MD5

5b8cb613ff041a5e38c03c9f3ff44d97
SHA1

37f2f8cfc0d78556761576bca6b77360a659444b
SHA256

cde708b755752e85111895dcc3490764b72f0b7f9eecb20bed90f1bbeabfbcf8
SHA512

39542fe353d9872f1334964808b48586da5986e364858ea6c35a5de7c8f8c1d2e8fcfdd38ed1f233f6e2b2dd99cd300d204b972210f0bae3aecbbc7880fc230c
SSDEEP

393216:9kBJ5vfbL+9qzy/m6ZZMV65EdAWXOQoLdCk+7q3n1t4cU2P/fGBXiWCNva:aBJNf3+9qwXX2AWX5oLv3n1CUXuYVNva

Score

7^/10

persistence pyinstaller spyware stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

Klar.gg_Lite.exe

Resource

win7-20240221-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

Klar.gg_Lite.exe

Resource

win10v2004-20240508-en

persistence spyware stealer upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  Klar.gg_Lite.exe
- Size
  
  21.8MB
- MD5
  
  5b8cb613ff041a5e38c03c9f3ff44d97
- SHA1
  
  37f2f8cfc0d78556761576bca6b77360a659444b
- SHA256
  
  cde708b755752e85111895dcc3490764b72f0b7f9eecb20bed90f1bbeabfbcf8
- SHA512
  
  39542fe353d9872f1334964808b48586da5986e364858ea6c35a5de7c8f8c1d2e8fcfdd38ed1f233f6e2b2dd99cd300d204b972210f0bae3aecbbc7880fc230c
- SSDEEP
  
  393216:9kBJ5vfbL+9qzy/m6ZZMV65EdAWXOQoLdCk+7q3n1t4cU2P/fGBXiWCNva:aBJNf3+9qwXX2AWX5oLv3n1CUXuYVNva
Score

7^/10

upx persistence spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistencespywarestealerupx

© 2018-2024

Terms | Privacy