General

  • Target

    36925c924c79a0b2.rar

  • Size

    7.5MB

  • Sample

    240528-lxaecaef9v

  • MD5

    a84d7a534b5f7b0ba574ffcf7e6a4764

  • SHA1

    4ba9235dc7d66a6aac4e83998b73c09f2d073b57

  • SHA256

    a8d80f3e6441b2f348ddb5a4af3de7f243f295a88a7763527042790f8b62ff26

  • SHA512

    133ac65e607be570be5abf5786fabc4d5b940a3c7f0cf86ddd8aa214853e281de1f02c0b463439d453bff62709422bb8e625472c80a0327371d37e02437c0207

  • SSDEEP

    196608:QtJvCFazMrcgSQLNoeKVRy0G4cDWXlWsKsKJmoylHWYCiZo6h:QTqFazMrj76LPYjWXlFKpyhZr

Malware Config

Targets

    • Target

      36925c924c79a0b2.exe

    • Size

      7.7MB

    • MD5

      5157f55acf0414b3dd15c7614fb61ef5

    • SHA1

      fd87875467d7edb3e2ee79d47a491aec36affe78

    • SHA256

      9c427515f5992e6201c1703096458d04e75713ccebc6b59d654a4df1921eee62

    • SHA512

      a31e8c6c690f700292a402e98fdfd87e9cc273514df0cbd375f97df5bf8fe925d498401a3f7727e9f919b67baad5cfcc94b92f5a760398923e0c330df04edb29

    • SSDEEP

      196608:fl0SPLeNTfm/pf+xk4dNSESRGtrbWOjgWye:Ey/pWu4m5RGtrbvMWye

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks