General

  • Target

    Physiological Client.exe

  • Size

    28.7MB

  • Sample

    240613-aqqbfaxanb

  • MD5

    e36eed3229f06cedb0e81308d749dec1

  • SHA1

    da999c65f0d2235e4d61ab9398dfb6622bc5552b

  • SHA256

    69b885af915543bb84a69b44db321baaff980cbf573200acd3a72e6daa7261e4

  • SHA512

    d477634998e7f652445bce9b1437e0d336a55e3be7d92edd937a2cbd8739b859fa80e6560a7dd8269494399fbf03ca7cb541babf31e5bf8f5143e018511d094d

  • SSDEEP

    786432:tC3GFQb8H0YLImAPPofAkijB+O6NvfdEK:tNQb8H21Pkujcd

Malware Config

Targets

    • Target

      Physiological Client.exe

    • Size

      28.7MB

    • MD5

      e36eed3229f06cedb0e81308d749dec1

    • SHA1

      da999c65f0d2235e4d61ab9398dfb6622bc5552b

    • SHA256

      69b885af915543bb84a69b44db321baaff980cbf573200acd3a72e6daa7261e4

    • SHA512

      d477634998e7f652445bce9b1437e0d336a55e3be7d92edd937a2cbd8739b859fa80e6560a7dd8269494399fbf03ca7cb541babf31e5bf8f5143e018511d094d

    • SSDEEP

      786432:tC3GFQb8H0YLImAPPofAkijB+O6NvfdEK:tNQb8H21Pkujcd

    • Renames multiple (53) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks