General

  • Target

    SteamToolBySeZaR.zip

  • Size

    6.7MB

  • Sample

    240619-1mecwaxenj

  • MD5

    4a5e4147940d14dabe7989283a5426cc

  • SHA1

    2a965f5380926ef5449503b83392b81d35a357f6

  • SHA256

    02b92682e0264bfc9c0a66edae63ac25dcb485c6f0b796f6bf6647cfa6b09d0e

  • SHA512

    27d0ba1bae5d8dd8076a1d32dcd4c020e882fab39b473e587eb90bf24ed19c90f3678baedd036496f36264c1ee1c54da2624dd892bc4eddd7d56fd9bb995109f

  • SSDEEP

    196608:GWZ71boIfhlxXTCZg7iCRRICzDlchTK3BXo:dbvfhlxuUzRRXzDMaBXo

Malware Config

Targets

    • Target

      SteamToolBySeZaR.zip

    • Size

      6.7MB

    • MD5

      4a5e4147940d14dabe7989283a5426cc

    • SHA1

      2a965f5380926ef5449503b83392b81d35a357f6

    • SHA256

      02b92682e0264bfc9c0a66edae63ac25dcb485c6f0b796f6bf6647cfa6b09d0e

    • SHA512

      27d0ba1bae5d8dd8076a1d32dcd4c020e882fab39b473e587eb90bf24ed19c90f3678baedd036496f36264c1ee1c54da2624dd892bc4eddd7d56fd9bb995109f

    • SSDEEP

      196608:GWZ71boIfhlxXTCZg7iCRRICzDlchTK3BXo:dbvfhlxuUzRRXzDMaBXo

    Score
    1/10
    • Target

      SteamTool.exe

    • Size

      6.9MB

    • MD5

      8329370648873513ab96c3754868c3d3

    • SHA1

      b9efd90fb03979eb9025e1523170d550fc96cc07

    • SHA256

      1b113b3fc34dddb83d165a91e37bcf00afe61dbdf4be216e6ef518aeae7e47cf

    • SHA512

      37ad768407780a69b0c1ea0b45a1c1efef6f8d5e64cb959ff2dd690420a93a73399921f7e32e8f8d9cac2c366564266a2748720a956f7414fa651b42bd71ceb2

    • SSDEEP

      98304:g4kwN+MdA5wqMVD8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoeZDJ1n6hBnLnf:g4V1IB6ylnlPzf+JiJCsmFMvNn6hVvTP

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • Target

      �]QZ�$�.pyc

    • Size

      1KB

    • MD5

      49ac3279fa7b762c5b860381814f70c5

    • SHA1

      f97d1a5b7297238230a674ccdb8cac5fce2c665a

    • SHA256

      32636121f19b0809688faadc09b054c0516fee81d932c194a0ec4bc1c3c38fd5

    • SHA512

      45026d405f5ba61b1b955264f188b8a84d439845be1a4037188e70c8ed37344ef938910561c436c3037a718bec5c595e11c2c73432cffd846634c9776eae8a7f

    Score
    1/10
    • Target

      readme.txt

    • Size

      418B

    • MD5

      6386b3f2e13f3ccc026bf84be45d4c32

    • SHA1

      1703f90e2174afd0c8452a977f9a919913e72717

    • SHA256

      3970fc5068ce14ba3d57835aa8d4b1e351768b042b51fb1a950a715398538d4d

    • SHA512

      56ca91c100cc0bd101b8b8e31fa1879a231106adeea72720a95f95ba4b604749e745fe13d47bf6a1ca16baa94cd35d76ce5b144b5b1f14124d5d1e86a594adda

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks