General

  • Target

    release.rar

  • Size

    21.7MB

  • Sample

    240620-p6qdpssfrj

  • MD5

    7cc9ee71b4f5d983e014b8aa56d1c21a

  • SHA1

    664a81a29f759e1b98b50d7986858d5b1d258361

  • SHA256

    4d63d075c49aace33f4c890a9d36a01d2768b8f70bea6a37a55a1228aad70175

  • SHA512

    c44c0c4e9227239c5d695c206dad103f785c1a08738399d5c322d0064f0c8708d93f1ed884f84f01d697a3bde0b1b3246541ac3138a61f2084f9501aaf5cc5b2

  • SSDEEP

    393216:Sa7UEFfXq3iQa2lxUZygg8M5Hsa7UEFfXq3iQa2lxUZygg8M5HMa7UEFfXq3iQax:DUI6ZMc98MvUI6ZMc98MPUI6ZMc98My

Malware Config

Targets

    • Target

      release/main/cheat.exe

    • Size

      7.3MB

    • MD5

      4165131d7bed66d69a2467e21842d0b3

    • SHA1

      57255f830038d18161089681f43b3c01501bd155

    • SHA256

      bcb9ba98165906ab0cf5d60f7c3397fcbe73ff5904b512c59dbeeca6f25b8b47

    • SHA512

      de3a459ff83144b1c060d6a37942327e92b8b9633839595cc65998c36f920dec298d8af932b1c8efa6c81f90f83be74b12ec47e992974168538d0ac39ad666fc

    • SSDEEP

      196608:s2YS6yoOshoKMuIkhVastRL5Di3uh1D7JK:1YSroOshouIkPftRL54YRJK

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Hide Artifacts: Hidden Files and Directories

    • Target

      release/main/loader.exe

    • Size

      7.3MB

    • MD5

      4165131d7bed66d69a2467e21842d0b3

    • SHA1

      57255f830038d18161089681f43b3c01501bd155

    • SHA256

      bcb9ba98165906ab0cf5d60f7c3397fcbe73ff5904b512c59dbeeca6f25b8b47

    • SHA512

      de3a459ff83144b1c060d6a37942327e92b8b9633839595cc65998c36f920dec298d8af932b1c8efa6c81f90f83be74b12ec47e992974168538d0ac39ad666fc

    • SSDEEP

      196608:s2YS6yoOshoKMuIkhVastRL5Di3uh1D7JK:1YSroOshouIkPftRL54YRJK

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

    • Target

      release/map/map.exe

    • Size

      7.3MB

    • MD5

      4165131d7bed66d69a2467e21842d0b3

    • SHA1

      57255f830038d18161089681f43b3c01501bd155

    • SHA256

      bcb9ba98165906ab0cf5d60f7c3397fcbe73ff5904b512c59dbeeca6f25b8b47

    • SHA512

      de3a459ff83144b1c060d6a37942327e92b8b9633839595cc65998c36f920dec298d8af932b1c8efa6c81f90f83be74b12ec47e992974168538d0ac39ad666fc

    • SSDEEP

      196608:s2YS6yoOshoKMuIkhVastRL5Di3uh1D7JK:1YSroOshouIkPftRL54YRJK

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks