General
-
Target
https://cdn.discordapp.com/attachments/1246658353233530920/1247269248384893009/EulenLoader.zip?ex=665f6981&is=665e1801&hm=98af74ccc9d5c68524c3a9b3f7fa5413c322759dde76f0a8816e7626394a905d&
-
Sample
240604-b77sgshb7t
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1246658353233530920/1247269248384893009/EulenLoader.zip?ex=665f6981&is=665e1801&hm=98af74ccc9d5c68524c3a9b3f7fa5413c322759dde76f0a8816e7626394a905d&
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
https://cdn.discordapp.com/attachments/1246658353233530920/1247269248384893009/EulenLoader.zip?ex=665f6981&is=665e1801&hm=98af74ccc9d5c68524c3a9b3f7fa5413c322759dde76f0a8816e7626394a905d&
Resource
win11-20240426-en
Malware Config
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1246658353233530920/1247269248384893009/EulenLoader.zip?ex=665f6981&is=665e1801&hm=98af74ccc9d5c68524c3a9b3f7fa5413c322759dde76f0a8816e7626394a905d&
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1