General

  • Target

    Nizelo Beta.exe

  • Size

    7.6MB

  • Sample

    240628-eyvncatdll

  • MD5

    7c4592a0898dd124d9f723a5409f0bc5

  • SHA1

    f015ec7e40802d92b75b16fb8474df3b2b7fb7e3

  • SHA256

    12ce04c210d438321f76049b5ad9e1fc09dffe8d460ead81d41ec1390ea6e27d

  • SHA512

    8cbbbedb3d1f7ec02781e0d52e658782fd540d5d7222250ea2ddca1d489a686622e628c68d58e8fd8c67c788a6fd603e089dbe6ec66cf4def0f240e842d06b47

  • SSDEEP

    98304:J/DjWM8JEClk1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfFSpXq7eRaYKJJx:J/01eNTfm/pf+xk4dNSESRatrbWOjgKt

Malware Config

Targets

    • Target

      Nizelo Beta.exe

    • Size

      7.6MB

    • MD5

      7c4592a0898dd124d9f723a5409f0bc5

    • SHA1

      f015ec7e40802d92b75b16fb8474df3b2b7fb7e3

    • SHA256

      12ce04c210d438321f76049b5ad9e1fc09dffe8d460ead81d41ec1390ea6e27d

    • SHA512

      8cbbbedb3d1f7ec02781e0d52e658782fd540d5d7222250ea2ddca1d489a686622e628c68d58e8fd8c67c788a6fd603e089dbe6ec66cf4def0f240e842d06b47

    • SSDEEP

      98304:J/DjWM8JEClk1rBamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfFSpXq7eRaYKJJx:J/01eNTfm/pf+xk4dNSESRatrbWOjgKt

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks