General

  • Target

    StartBotNet.exe

  • Size

    6.9MB

  • Sample

    240624-s5q6dszdlf

  • MD5

    49a84723ce9c5eb7b023e5650b05f987

  • SHA1

    7d7895834e26df3bcf292717bed20d4107c788fe

  • SHA256

    a2cffb22e4f0fd46b17626c25ed79cd04f5e166352ece6fcfe4bf3685a943c15

  • SHA512

    789ced61880b4612ec99e21a3f56315a88d0483b5340a9a9b87f11f5face6a256c985dd40e60ff0ae93f6c59a51f9550bad07dbe239800a293d1d8338171f441

  • SSDEEP

    98304:3vDjWM8JEE1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRGYKJJcGhEIFWR:3v0MeNTfm/pf+xk4dWRGtrbWOjgWyr

Malware Config

Targets

    • Target

      StartBotNet.exe

    • Size

      6.9MB

    • MD5

      49a84723ce9c5eb7b023e5650b05f987

    • SHA1

      7d7895834e26df3bcf292717bed20d4107c788fe

    • SHA256

      a2cffb22e4f0fd46b17626c25ed79cd04f5e166352ece6fcfe4bf3685a943c15

    • SHA512

      789ced61880b4612ec99e21a3f56315a88d0483b5340a9a9b87f11f5face6a256c985dd40e60ff0ae93f6c59a51f9550bad07dbe239800a293d1d8338171f441

    • SSDEEP

      98304:3vDjWM8JEE1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRGYKJJcGhEIFWR:3v0MeNTfm/pf+xk4dWRGtrbWOjgWyr

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks