General

  • Target

    Larsy's Promo Gen.exe

  • Size

    37.6MB

  • Sample

    240726-srrj1awbqm

  • MD5

    9619f7bec88da160298811e8f7040d8a

  • SHA1

    f1103bc2d1f0d894bcc881c521da389de98296f6

  • SHA256

    66f23b5af056912fbab24bcc2dfb0d5345df4841d8c8d7f34294413c2b687ef0

  • SHA512

    b6adc57db9de797a667edd4d31b0580aa20c3d0385d35462ee3f7159bef17eefd2daf73cee545ef7f95bd390a13450f94dda72a3eb52bfcb58933a5772225836

  • SSDEEP

    393216:0QgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg+96l+ZArYsFRlePI:03on1HvSzxAMN+FZArYsmPv0M7OZ9Nb

Malware Config

Targets

    • Target

      Larsy's Promo Gen.exe

    • Size

      37.6MB

    • MD5

      9619f7bec88da160298811e8f7040d8a

    • SHA1

      f1103bc2d1f0d894bcc881c521da389de98296f6

    • SHA256

      66f23b5af056912fbab24bcc2dfb0d5345df4841d8c8d7f34294413c2b687ef0

    • SHA512

      b6adc57db9de797a667edd4d31b0580aa20c3d0385d35462ee3f7159bef17eefd2daf73cee545ef7f95bd390a13450f94dda72a3eb52bfcb58933a5772225836

    • SSDEEP

      393216:0QgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg+96l+ZArYsFRlePI:03on1HvSzxAMN+FZArYsmPv0M7OZ9Nb

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks