Overview

overview

10

Static

static

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

setup.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    safe-archive.zip

  • Size

    2.9MB

  • Sample

    240724-pqc4fawbqj

  • MD5

    3c4ab851c4b1404622d691b262053df5

  • SHA1

    bcd6610c75184b2ca45d0f3fff9ed6f0dcdeeaa4

  • SHA256

    589d93deb639f967f96dbf6cbe48b1b434930ad3ac24a17d8e89ff058e4ec272

  • SHA512

    ec2ab79c71db310b5218f1c324ab4d69a5c23b3a3d309be7e3627185952025c6f6e40b41cc4ecc26649241d343b7f337afdf92f8193076379d5a2ae97a02cd22

  • SSDEEP

    49152:YVTWO1MC9XfT2CgdSHhkU7hnstGLCCAuF4vfbML71yAldpJYSEX/JDY8BV:oiO1MCMCPhkUGGLCCzF4vDQJfeFY4V

Score
10/10
privateloaderxmrigcredential_accessdiscoveryevasionexecutionloaderminerpersistencespywarestealer

Malware Config

Targets

    • Target

      setup.exe

    • Size

      762.0MB

    • MD5

      9326c686071c528549c80eea2638082e

    • SHA1

      3c31e38d81289de167d9f37fbc6697b5c9cf71bd

    • SHA256

      59ca077c90d1d26bb9e79b44c74a0ecf04bd02a92a90146efe87c170e11ca3d2

    • SHA512

      9af45bc59bbd42d738cbf9547d8d6121a61bd97a6b9a3a2f2fc39caf721a6a64ce7ab991e482bd13a39ac3ddf62cfc1f95613c7d805370d2cda0199f4bccc114

    • SSDEEP

      49152:NpfTCy0d0R7ruhVrPwHStdgjGf+WAud5iqBRSLmIe59123L7W:eyN7ruHaLGf+Wzd5TSLm/23m

    Score
    10/10
    privateloaderxmrigcredential_accessdiscoveryevasionexecutionloaderminerpersistencespywarestealer

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix

Tasks