blankgrabber | b898d8294125b6d5d661281c132c7675518cf5bef57b28f902fbdc97e5f05d66

General

Target

Shark Predictor.rar
Size

32.0MB
Sample

240720-cfrgvs1gll
MD5

0d1723d5644101d0863150e6bc0ec8e8
SHA1

f62c8cb3813953a278e664c02dc6a4e0e4ccb4fe
SHA256

b898d8294125b6d5d661281c132c7675518cf5bef57b28f902fbdc97e5f05d66
SHA512

d8a347537bb05d4eb3f655333faa88342084d51960d7faaa84557b01905333aa45911e3c38d4a7050e8e83e1981c7a52d293fcef76a0dfbb1bfb1433529bdcd2
SSDEEP

786432:kQwNqHevrlZXwT0IF5D0tkO5qRMCmY0wdwdWJSCvy2UpYP+:fwkHuRSf0+LMCmGwEsGw/

Score

10^/10

Malware Config

Targets

- Target
  
  Shark Predictor/Shark Predictor.exe
- Size
  
  6.8MB
- MD5
  
  94ebee0fc8692acb4b12cb40e0aba034
- SHA1
  
  f8a90ebc1fa203ec9c38a8cfa343f928c81abf5c
- SHA256
  
  7a6809d47c3ed09ef32544325c6ffb992f78119441ffe2ec69fb3caf9bb35ff2
- SHA512
  
  e6631670028e9e26f7aacd54a74b5a328edc5e3f3b4fc630f38a1680631b08a236bfe81a2ee6d326246ee47fa54a1fdee67fdd6dbaa69f9a65b8b2e47e41939c
- SSDEEP
  
  98304:kAkwN+MdA5wqMt98MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DoDZDJ1n6hBnLng:kAV16B6ylnlPzf+JiJCsmFMvcn6hVvU
Score

8^/10

upx execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Shark Predictor/python-3.12.4-amd64.exe
- Size
  
  25.5MB
- MD5
  
  f3df1be26cc7cbd8252ab5632b62d740
- SHA1
  
  3b1f54802b4cb8c02d1eb78fc79f95f91e8e49e4
- SHA256
  
  da5809df5cb05200b3a528a186f39b7d6186376ce051b0a393f1ddf67c995258
- SHA512
  
  2f9a11ffae6d9f1ed76bf816f28812fcba71f87080b0c92e52bfccb46243118c5803a7e25dd78003ca7d66501bfcdce8ff7c691c63c0038b0d409ca3842dcc89
- SSDEEP
  
  786432:zRd0l0X/46+nq1rcVqA5Z2bQcLsv0GlYrJF55e2nRk:L5P46+q1QTILMKB5e2nRk
Score

8^/10

discovery execution persistence privilege_escalation spyware stealer upx
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops file in Drivers directory
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral3 behavioral4