a18598cf0f23b0c116ec10204124ad720b4956355effcf0ae0701bbb2a206f29 | Triage

Resubmissions

29/06/2024, 05:39

240629-gcsmzasbma 10

29/06/2024, 05:38

240629-gbrpaasbkg 10

Sharing

Copy URL Twitter E-mail

General

Target

index.exe
Size

35.9MB
Sample

240629-gcsmzasbma
MD5

7da5d2ae2b4a21b1777c2fb0ad06d75e
SHA1

0c77f532b70f10eadd7853f9a5e42bcc13336133
SHA256

a18598cf0f23b0c116ec10204124ad720b4956355effcf0ae0701bbb2a206f29
SHA512

bf7fc52213eff12fd22786c4c41adee3e234118f2f6e996146d6b38b9530cd86e5f90931b9d947702f6ae62f25256b9b042080c0e51bd3f1f70ae0be99695272
SSDEEP

393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf/:fMguj8Q4Vfv+qFTrYP

Score

10^/10

persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://who-olive.gl.at.ply.gg:49036/data

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/webcam.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://github.com/Somali-Devs/Kematian-Stealer/raw/main/frontend-src/kematian_shellcode.ps1

Targets

- Target
  
  index.exe
- Size
  
  35.9MB
- MD5
  
  7da5d2ae2b4a21b1777c2fb0ad06d75e
- SHA1
  
  0c77f532b70f10eadd7853f9a5e42bcc13336133
- SHA256
  
  a18598cf0f23b0c116ec10204124ad720b4956355effcf0ae0701bbb2a206f29
- SHA512
  
  bf7fc52213eff12fd22786c4c41adee3e234118f2f6e996146d6b38b9530cd86e5f90931b9d947702f6ae62f25256b9b042080c0e51bd3f1f70ae0be99695272
- SSDEEP
  
  393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYf/:fMguj8Q4Vfv+qFTrYP
Score

10^/10

persistence privilege_escalation
- Blocklisted process makes network request
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistenceprivilege_escalation