General

  • Target

    179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5

  • Size

    88KB

  • Sample

    240614-xt26qswfpp

  • MD5

    f60fbc8c14c9d1ca68e494da420dc48d

  • SHA1

    e0613d074ab938c00b23081128ce8e49220a2681

  • SHA256

    179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5

  • SHA512

    af122de4efb35e116246d730dacab493a0fa66732f8d48b0cfc787302255905f07e0b419421100906bd825b5456b0ee1a8987273ce0c0420e840b1810d1f825a

  • SSDEEP

    1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSj:11PgEOng1d66jRVa+n4NmNNouukrD7HI

Malware Config

Targets

    • Target

      179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5

    • Size

      88KB

    • MD5

      f60fbc8c14c9d1ca68e494da420dc48d

    • SHA1

      e0613d074ab938c00b23081128ce8e49220a2681

    • SHA256

      179f7c5e7656922e692d2147a486ac43549ced5255899bd6ce11c768632faab5

    • SHA512

      af122de4efb35e116246d730dacab493a0fa66732f8d48b0cfc787302255905f07e0b419421100906bd825b5456b0ee1a8987273ce0c0420e840b1810d1f825a

    • SSDEEP

      1536:1MIPgEm56wnbkKC2ZyBJU066lwLCRVEB+nR/y8cmNrEIviCOzuajkrDl9HNSj:11PgEOng1d66jRVa+n4NmNNouukrD7HI

    • Detects executables containing base64 encoded User Agent

    • UPX dump on OEP (original entry point)

    • Blocklisted process makes network request

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Tasks