General

  • Target

    func expander.exe

  • Size

    6.0MB

  • Sample

    240620-tpl26swfkh

  • MD5

    dd23c990f363359843c6dc9ab6e3e497

  • SHA1

    9999144e0144e56a5da1c416889ca36ac8da117b

  • SHA256

    4669b9892fe5e65f588da895bf08c1d5e7f4efe71b731346a4fa1208a9b806d5

  • SHA512

    0b7d0974d52cd3a977a06e3beec54567e6af4ddd730df696d9e01b8c413646e29b065fea65553c9767680e800231bf276db72b2ccde0284682faf7db8d23e460

  • SSDEEP

    98304:m+EtdFBGecamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4ReOuAK+CTNyo:mdFEedeN/FJMIDJf0gsAGK4RduAK+uUo

Malware Config

Targets

    • Target

      func expander.exe

    • Size

      6.0MB

    • MD5

      dd23c990f363359843c6dc9ab6e3e497

    • SHA1

      9999144e0144e56a5da1c416889ca36ac8da117b

    • SHA256

      4669b9892fe5e65f588da895bf08c1d5e7f4efe71b731346a4fa1208a9b806d5

    • SHA512

      0b7d0974d52cd3a977a06e3beec54567e6af4ddd730df696d9e01b8c413646e29b065fea65553c9767680e800231bf276db72b2ccde0284682faf7db8d23e460

    • SSDEEP

      98304:m+EtdFBGecamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4ReOuAK+CTNyo:mdFEedeN/FJMIDJf0gsAGK4RduAK+uUo

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks