General

  • Target

    maple.zip

  • Size

    83.6MB

  • Sample

    240720-sj9qls1gpl

  • MD5

    86463b8332ffc4d4f5636cf6baae2a79

  • SHA1

    a18b67a927e2e6ec2b11155f47cdd11b3c087470

  • SHA256

    3c937b8994ef68e8b3896c0e5aad62fc408ff403699ba3dcccdb79e2dc435e2a

  • SHA512

    f1dc77847e88d1487b92e3cb00f648a807751b5a262da5eaa992fe5154c068966f00a49874c77f15ceece51b19fa25d492173b51bd14f5ff2d5828547715443e

  • SSDEEP

    1572864:bbUY4Zrbabtl8T68GVWYye9QscqSx9mxXVjG02nxF6Atd3ulj68nmEmFWfwOwUSM:vUpXThGsYemSx412nDtd3ubnmQBwUSil

Malware Config

Targets

    • Target

      maple/maple/Maple.exe

    • Size

      74.8MB

    • MD5

      87dbbc1ff26b8f7e5cbe56b8f7d4d406

    • SHA1

      c731816d542d527c25b0ce6269a573b8eb486e9b

    • SHA256

      f7821841c7f10c253f9e34f91e38cea853244afc0103561647598c707ff26742

    • SHA512

      2196b39219865c2efd75fa678b0e4723951a2a2f48094c410ddcff4b9ef59e35cb946788487130085f77826868abfe3e7c35cbb80389c3e4d59adedce860086c

    • SSDEEP

      1572864:Aps9Fnab4+6DQSc6JUCSi0HTq1/3LmSGnxnkqbHbcT7IMpeQW/0FKAGCYK:wzx6cSgC0HMVGnDbHbc5peu9GCYK

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      maple/maple/crack.dll

    • Size

      5.0MB

    • MD5

      b5b1b26e855eda6268b9a2008e0fce86

    • SHA1

      d7925f7de5835e3564b187d8654bb9305ea945fb

    • SHA256

      06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7

    • SHA512

      14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799

    • SSDEEP

      98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Target

      maple/maple/loader.exe

    • Size

      5.3MB

    • MD5

      e630d72436e3dc1be7763de7f75b7adf

    • SHA1

      40e07b22ab8b69e6827f90e20aeac35757899a23

    • SHA256

      59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

    • SHA512

      82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

    • SSDEEP

      98304:MY5XZjNqBeNp4iSgPKpQ9CKhqkaIWvO9SYCxBKXyaxVdb+tSVGHyYDMMl7qg7:MYpMeNp4irCmWISnTz2VtIVDMg7n7

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks