Overview

overview

10

Static

static

1

Dexis Setup.exe

windows10-2004-x64

10

Resubmissions

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • Sample

    240609-tbyttach24

  • MD5

    168e953440d699dc30a39402b4f6e625

  • SHA1

    66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

  • SHA256

    c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

  • SHA512

    0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

  • SSDEEP

    1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Score
10/10
hijackloaderrhadamanthysstealcdex4executionloaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

dex4

C2

http://45.88.77.28

Attributes
  • url_path

    /f6a9d3a0017c37c9.php

Targets

    • Target

      Dexis Setup.exe

    • Size

      64.6MB

    • MD5

      168e953440d699dc30a39402b4f6e625

    • SHA1

      66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

    • SHA256

      c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

    • SHA512

      0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

    • SSDEEP

      1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

    Score
    10/10
    hijackloaderrhadamanthysstealcdex4executionloaderspywarestealer

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks