Resubmissions

06-06-2024 12:59

240606-p8kw1afd78 8

06-06-2024 12:57

240606-p62fzaed6s 8

General

  • Target

    NLHyrbid.rar

  • Size

    15.4MB

  • Sample

    240606-p8kw1afd78

  • MD5

    174d3821d673d3fd0ba0f51b3ba750f5

  • SHA1

    efa93f9daf492722dab96db0e3b13f6e770b762d

  • SHA256

    562a06ab82cdd49a5edb68730c6bf90f76301dbb8f895e6aca99b60a7f6971c0

  • SHA512

    2659113feb6f2959178610b2dfe1a8d3bd2a42819bcaf94b4c13785a37abedddbfd95a6b1a5af6ef9f433fb3f86cabb5367b6f762fe602969a7a89813ef6a7fd

  • SSDEEP

    393216:L+DYLweLOo3ln55Q5bZdO5xQB1se2Er8LevVXkcZ8/lz:KDYLVR725bZc5xQ8e2EggVXmz

Malware Config

Targets

    • Target

      NLHyrbid.rar

    • Size

      15.4MB

    • MD5

      174d3821d673d3fd0ba0f51b3ba750f5

    • SHA1

      efa93f9daf492722dab96db0e3b13f6e770b762d

    • SHA256

      562a06ab82cdd49a5edb68730c6bf90f76301dbb8f895e6aca99b60a7f6971c0

    • SHA512

      2659113feb6f2959178610b2dfe1a8d3bd2a42819bcaf94b4c13785a37abedddbfd95a6b1a5af6ef9f433fb3f86cabb5367b6f762fe602969a7a89813ef6a7fd

    • SSDEEP

      393216:L+DYLweLOo3ln55Q5bZdO5xQB1se2Er8LevVXkcZ8/lz:KDYLVR725bZc5xQ8e2EggVXmz

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks