General

  • Target

    Bootloader.exe

  • Size

    8.5MB

  • Sample

    240603-h7ha6ahb33

  • MD5

    04bf7634630f3527ab5351ab84009ae5

  • SHA1

    a5c9bacef688213ecfcf3e528eca269e29c68c16

  • SHA256

    9145a2820d02861ab749bdb94dcbe432e3fdd414ec7d409b4e4317f744f08761

  • SHA512

    b204be588adb57d7776bbc27f6a472d8bf827076caa8052fd994a394bc2419846bc0efed0198079bb5aa55dbc5d67150198cc4f652a3e362f84036ac9fd26262

  • SSDEEP

    196608:1r0JT+sxfWVhiurErvI9pWjgU1DEzx7sKL/s1tUgWUHAkjUWlRH2WS:gXxfWVsurEUWjhEhn01trWUd92WS

Malware Config

Targets

    • Target

      Bootloader.exe

    • Size

      8.5MB

    • MD5

      04bf7634630f3527ab5351ab84009ae5

    • SHA1

      a5c9bacef688213ecfcf3e528eca269e29c68c16

    • SHA256

      9145a2820d02861ab749bdb94dcbe432e3fdd414ec7d409b4e4317f744f08761

    • SHA512

      b204be588adb57d7776bbc27f6a472d8bf827076caa8052fd994a394bc2419846bc0efed0198079bb5aa55dbc5d67150198cc4f652a3e362f84036ac9fd26262

    • SSDEEP

      196608:1r0JT+sxfWVhiurErvI9pWjgU1DEzx7sKL/s1tUgWUHAkjUWlRH2WS:gXxfWVsurEUWjhEhn01trWUd92WS

    • Modifies visiblity of hidden/system files in Explorer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks