Overview

overview

9

Static

static

3

maple/maple/Maple.exe

windows11-21h2-x64

8

maple/maple/crack.dll

windows11-21h2-x64

9

maple/mapl...er.exe

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    maple.zip

  • Size

    83.6MB

  • Sample

    240720-sj9qls1gpl

  • MD5

    86463b8332ffc4d4f5636cf6baae2a79

  • SHA1

    a18b67a927e2e6ec2b11155f47cdd11b3c087470

  • SHA256

    3c937b8994ef68e8b3896c0e5aad62fc408ff403699ba3dcccdb79e2dc435e2a

  • SHA512

    f1dc77847e88d1487b92e3cb00f648a807751b5a262da5eaa992fe5154c068966f00a49874c77f15ceece51b19fa25d492173b51bd14f5ff2d5828547715443e

  • SSDEEP

    1572864:bbUY4Zrbabtl8T68GVWYye9QscqSx9mxXVjG02nxF6Atd3ulj68nmEmFWfwOwUSM:vUpXThGsYemSx412nDtd3ubnmQBwUSil

Score
9/10
evasionexecutionpersistencepyinstallerspywarestealertrojanupx

Malware Config

Targets

    • Target

      maple/maple/Maple.exe

    • Size

      74.8MB

    • MD5

      87dbbc1ff26b8f7e5cbe56b8f7d4d406

    • SHA1

      c731816d542d527c25b0ce6269a573b8eb486e9b

    • SHA256

      f7821841c7f10c253f9e34f91e38cea853244afc0103561647598c707ff26742

    • SHA512

      2196b39219865c2efd75fa678b0e4723951a2a2f48094c410ddcff4b9ef59e35cb946788487130085f77826868abfe3e7c35cbb80389c3e4d59adedce860086c

    • SSDEEP

      1572864:Aps9Fnab4+6DQSc6JUCSi0HTq1/3LmSGnxnkqbHbcT7IMpeQW/0FKAGCYK:wzx6cSgC0HMVGnDbHbc5peu9GCYK

    Score
    8/10
    executionpersistencepyinstallerspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      maple/maple/crack.dll

    • Size

      5.0MB

    • MD5

      b5b1b26e855eda6268b9a2008e0fce86

    • SHA1

      d7925f7de5835e3564b187d8654bb9305ea945fb

    • SHA256

      06dec4f9857f7b9a43157756606546d04a0f34c87681c7db9aab9125a43b33a7

    • SHA512

      14ad2e93ed5876dd246ce6f32674e994b4f35a5acbb1ac46388bebc682a70ce4eca974fda102c273c71dae3c9bc7b69f965fd636cb2d5c579de9cd23e8b35799

    • SSDEEP

      98304:j+YCYfXbb8DckgAEhxWiHF/5DoNZ2qkFVwz7583lfdmjLdGGf:jP8QDDRF/eNsqgiZ

    Score
    9/10
    evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral2

    • Target

      maple/maple/loader.exe

    • Size

      5.3MB

    • MD5

      e630d72436e3dc1be7763de7f75b7adf

    • SHA1

      40e07b22ab8b69e6827f90e20aeac35757899a23

    • SHA256

      59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

    • SHA512

      82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

    • SSDEEP

      98304:MY5XZjNqBeNp4iSgPKpQ9CKhqkaIWvO9SYCxBKXyaxVdb+tSVGHyYDMMl7qg7:MYpMeNp4irCmWISnTz2VtIVDMg7n7

    Score
    8/10
    evasionexecutionpersistencepyinstallerspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks