Resubmissions

26-07-2024 23:18

240726-3ac1dsthre 10

11-06-2024 01:50

240611-b9q8hszbqh 10

09-06-2024 15:53

240609-tbyttach24 10

General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • Sample

    240611-b9q8hszbqh

  • MD5

    168e953440d699dc30a39402b4f6e625

  • SHA1

    66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

  • SHA256

    c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

  • SHA512

    0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

  • SSDEEP

    1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

Malware Config

Extracted

Family

stealc

Botnet

dex9

C2

http://45.132.105.157

Attributes
  • url_path

    /eb155c7506e03ca9.php

Targets

    • Target

      Dexis Setup.exe

    • Size

      64.6MB

    • MD5

      168e953440d699dc30a39402b4f6e625

    • SHA1

      66efd121a3fdd79b3443f1204fc3a8a8e8d76d12

    • SHA256

      c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39

    • SHA512

      0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2

    • SSDEEP

      1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks