General

  • Target

    Grabbers-Deobfuscator-main.zip

  • Size

    29.3MB

  • Sample

    240531-2wgp2agf2w

  • MD5

    2f8410ea48bc92c8ada0a16b13d420e8

  • SHA1

    3237c1fae762c8d63c311791442b5cc0e712ba78

  • SHA256

    29a4e38437fb9a7b9757d69c71c098f184613de8f1c681d3e4c13cfb638573c8

  • SHA512

    2e5ae5bce5ec008652c28bf96ee5dd85adf0653b149241350310c420a7803030e731ea5f928eadffbccfd7df23df8a6816b6d58aa579c69196252ad55f404fd7

  • SSDEEP

    786432:CS5IlXgR4GoYxa7MVe1K6Aq25no6e1+HU8uGnDhOLhDR1d010MjN:C9PYDG/6e1+08pt+vg0I

Malware Config

Targets

    • Target

      Grabbers-Deobfuscator-main.zip

    • Size

      29.3MB

    • MD5

      2f8410ea48bc92c8ada0a16b13d420e8

    • SHA1

      3237c1fae762c8d63c311791442b5cc0e712ba78

    • SHA256

      29a4e38437fb9a7b9757d69c71c098f184613de8f1c681d3e4c13cfb638573c8

    • SHA512

      2e5ae5bce5ec008652c28bf96ee5dd85adf0653b149241350310c420a7803030e731ea5f928eadffbccfd7df23df8a6816b6d58aa579c69196252ad55f404fd7

    • SSDEEP

      786432:CS5IlXgR4GoYxa7MVe1K6Aq25no6e1+HU8uGnDhOLhDR1d010MjN:C9PYDG/6e1+08pt+vg0I

    • Modifies visiblity of hidden/system files in Explorer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks