General

  • Target

    illusion.exe

  • Size

    6.0MB

  • Sample

    240619-xnmh4a1hlr

  • MD5

    e669a2a46604b3895a65d6157df9e5c2

  • SHA1

    3649dbfa6c13ed55e46a1745fd240c8cb4a02b47

  • SHA256

    b66aebf05dec6479cd9f281415ea0187cdb9f751d5a5f2fb689687dc504aded3

  • SHA512

    65ef22937edfe222c92d73f588a47888e89ec5e18285b94571580ab7e101e1c9e8087ffeb364bc58bc1962562b8b51f3580ce2567d21297ae5f39e58364589f9

  • SSDEEP

    98304:errWEtdFBy/namaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RtBMlfg3HCTC:errVFMSeN/FJMIDJf0gsAGK4RtulTTC

Malware Config

Targets

    • Target

      illusion.exe

    • Size

      6.0MB

    • MD5

      e669a2a46604b3895a65d6157df9e5c2

    • SHA1

      3649dbfa6c13ed55e46a1745fd240c8cb4a02b47

    • SHA256

      b66aebf05dec6479cd9f281415ea0187cdb9f751d5a5f2fb689687dc504aded3

    • SHA512

      65ef22937edfe222c92d73f588a47888e89ec5e18285b94571580ab7e101e1c9e8087ffeb364bc58bc1962562b8b51f3580ce2567d21297ae5f39e58364589f9

    • SSDEEP

      98304:errWEtdFBy/namaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RtBMlfg3HCTC:errVFMSeN/FJMIDJf0gsAGK4RtulTTC

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks