General
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
Sample
240726-3ac1dsthre
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Static task
static1
Behavioral task
behavioral1
Sample
Dexis Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Dexis Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Dexis Setup.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
stealc
dex23
http://45.156.27.196
-
url_path
/4c7ef30d4540070f.php
Targets
-
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
-
Detects HijackLoader (aka IDAT Loader)
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2