7b1712a8fd75f73f3a807f858f596f168ee206672063922ee07351b0b097cb72 | Triage

Sharing

General

Target

AIM-Stealer-setup.exe
Size

14.5MB
Sample

240703-ne6qyazdqd
MD5

8db1ca3f184b9e4a7188bed23e905def
SHA1

bda45770765e9d8b18991d3d336f744424af5348
SHA256

7b1712a8fd75f73f3a807f858f596f168ee206672063922ee07351b0b097cb72
SHA512

c02cd44fd8d071fa8d900e7b5570c0457f659039351d6c6f28eea5f8a722864e98638984d6a1ca726395638f39ad6bf834f98f96cc5a05b058e85139d91b45c6
SSDEEP

196608:1x4yTpOa464P29qoWuW4zOvspc9Jaa/segGltJ71wI5fua3fkVZ8ref:1xwa4P291M1UIX/zgGlb/5KZb

Score

8^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  AIM-Stealer-setup.exe
- Size
  
  14.5MB
- MD5
  
  8db1ca3f184b9e4a7188bed23e905def
- SHA1
  
  bda45770765e9d8b18991d3d336f744424af5348
- SHA256
  
  7b1712a8fd75f73f3a807f858f596f168ee206672063922ee07351b0b097cb72
- SHA512
  
  c02cd44fd8d071fa8d900e7b5570c0457f659039351d6c6f28eea5f8a722864e98638984d6a1ca726395638f39ad6bf834f98f96cc5a05b058e85139d91b45c6
- SSDEEP
  
  196608:1x4yTpOa464P29qoWuW4zOvspc9Jaa/segGltJ71wI5fua3fkVZ8ref:1xwa4P291M1UIX/zgGlb/5KZb
Score

8^/10

discovery persistence privilege_escalation spyware stealer
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalationspywarestealer

behavioral2

behavioral3

behavioral4

behavioral5