General

  • Target

    START IT.exe

  • Size

    20.0MB

  • Sample

    240528-fzgzbagh62

  • MD5

    312476739549378072868ac5b1e4ace9

  • SHA1

    1d39ab2a8ab555b19442da93890f29a31cabd391

  • SHA256

    895016aa995ac9b6c03eddcdbdfbacbb7d296e6d516f09996ec40c39164a1c9b

  • SHA512

    38a9076f03978fed4d5826f5a81c7903538eaa45a3b0e2bd08315602a1bd223fbb6f03edd83e7f077b63dc354c0e990a614577eec939b777ca8704b65a342717

  • SSDEEP

    98304:tR9+WCHTqi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF99h3kAbLcW:tGrsDOYjJlpZstQoS9Hf12VKXSb3hy+

Malware Config

Targets

    • Target

      START IT.exe

    • Size

      20.0MB

    • MD5

      312476739549378072868ac5b1e4ace9

    • SHA1

      1d39ab2a8ab555b19442da93890f29a31cabd391

    • SHA256

      895016aa995ac9b6c03eddcdbdfbacbb7d296e6d516f09996ec40c39164a1c9b

    • SHA512

      38a9076f03978fed4d5826f5a81c7903538eaa45a3b0e2bd08315602a1bd223fbb6f03edd83e7f077b63dc354c0e990a614577eec939b777ca8704b65a342717

    • SSDEEP

      98304:tR9+WCHTqi65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeF99h3kAbLcW:tGrsDOYjJlpZstQoS9Hf12VKXSb3hy+

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks