General

  • Target

    Dexis Setup.exe

  • Size

    64.6MB

  • Sample

    240611-s7cqsascmb

  • MD5

    3dbdc09c8952d7994ed78402578824ba

  • SHA1

    d2e4d6e2e6d2ef70585cdee62d543b81c15b29cf

  • SHA256

    e9d1c22e3616399e4ce428ab0c4bbc7d0519f9e3cd19ad91d33bcef5ce539f5c

  • SHA512

    d7c0876e4f9fd21e63d1a5428b7840f7bde717ea81e78482c59f2adafa3bb96a9b083aead5096bd9362b7590ed9ae5604801f68bab47764fa5b006837d3b62a1

  • SSDEEP

    1572864:FQsJjyxAAJXIUEqFGX6xJU2i7d9I3jdz/q2A5znDfRxgJX2+JcUo4c:FQ+jyZLEqFC602OOz/7ApDfRxgJBcUoD

Malware Config

Extracted

Family

stealc

Botnet

dex9

C2

http://45.132.105.157

Attributes
  • url_path

    /eb155c7506e03ca9.php

Targets

    • Target

      Dexis Setup.exe

    • Size

      64.6MB

    • MD5

      3dbdc09c8952d7994ed78402578824ba

    • SHA1

      d2e4d6e2e6d2ef70585cdee62d543b81c15b29cf

    • SHA256

      e9d1c22e3616399e4ce428ab0c4bbc7d0519f9e3cd19ad91d33bcef5ce539f5c

    • SHA512

      d7c0876e4f9fd21e63d1a5428b7840f7bde717ea81e78482c59f2adafa3bb96a9b083aead5096bd9362b7590ed9ae5604801f68bab47764fa5b006837d3b62a1

    • SSDEEP

      1572864:FQsJjyxAAJXIUEqFGX6xJU2i7d9I3jdz/q2A5znDfRxgJX2+JcUo4c:FQ+jyZLEqFC602OOz/7ApDfRxgJBcUoD

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Stealc

      Stealc is an infostealer written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks