blankgrabber | ae656ffc88a40d749bbb6f3d4c3f71c48bd90a8e030f00d1fadbf1a80920f942

General

Target

NExec.zip
Size

6.8MB
Sample

240726-pvd7as1hla
MD5

c11b31c8f69a9333ac396c33cfd07c69
SHA1

e78bdf112c4062c6d04ed8cb7ca1ddaf3539a548
SHA256

ae656ffc88a40d749bbb6f3d4c3f71c48bd90a8e030f00d1fadbf1a80920f942
SHA512

86c33370495cd4210dad6701ba03490c30560c9dfa0ac8bd11a137bdca0c8d788dc2e213c587a5b119d7b6ce9cda9a617d0d5fa2b1e8dfe6beb1feb8c3b4d3d6
SSDEEP

196608:RAM3ibJMrFbK9XLWRkiETHkRINpNq6XhUY:CzwY9X6ZETERINpNfRUY

Score

10^/10

Malware Config

Targets

- Target
  
  Naughty Executor/Naughty Executor.exe
- Size
  
  8.0MB
- MD5
  
  e31fc38e068701478abb59d78bb077db
- SHA1
  
  7d472a496a11e79d5cd9fabeda231c0572f89f32
- SHA256
  
  60ee84a0046d08306732071d6ec8ab0af9b7aeca0724ac38a6a62150688226a1
- SHA512
  
  cb6e7e5d6d754bfd44b77ecbde7b5910e41adc9f16000ce764c1bb9c91a2a5f5cb7fbfeeb50a0982d5086905302e1812744bfd591c9ed29a20de603f392a82dc
- SSDEEP
  
  98304:cmEDjWM8JEE1r2wamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRaYKJJcGhEIv:cmE0keNTfm/pf+xk4dWRatrbWOjgKn
Score

9^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2