General

  • Target

    Wasper-Setup.exe.vir

  • Size

    45.5MB

  • Sample

    240728-sgqjysthph

  • MD5

    ee7517fda25c5c0f955c96bf416b35bf

  • SHA1

    5538cd903d17837fcf1448933ea0b7f74793c868

  • SHA256

    eea65eb3a1b2443e8e3f26ce6ad39a85150576bc43d757e17fb93deb938ff0f0

  • SHA512

    e42f468a43e775bb12d44f857e2c5f6e7e088c0eab14acb885f10f30d26e9bd8a0656e8044f22019d6521156404647d7bb8024e0f60796f1d57c6e516cca14fc

  • SSDEEP

    786432:+yS2qHe93TkaKlV0zik3gPqdOIEPh5eI0glAf69QEx+ExtOjPrnyl1tlfd9sQo:+v2PS5kwPoOlPhUI0gCC9L6jLqFTs7

Malware Config

Extracted

Family

stealc

Botnet

wasp23

C2

http://45.156.27.196

Attributes
  • url_path

    /4c7ef30d4540070f.php

Targets

    • Target

      Wasper-Setup.exe.vir

    • Size

      45.5MB

    • MD5

      ee7517fda25c5c0f955c96bf416b35bf

    • SHA1

      5538cd903d17837fcf1448933ea0b7f74793c868

    • SHA256

      eea65eb3a1b2443e8e3f26ce6ad39a85150576bc43d757e17fb93deb938ff0f0

    • SHA512

      e42f468a43e775bb12d44f857e2c5f6e7e088c0eab14acb885f10f30d26e9bd8a0656e8044f22019d6521156404647d7bb8024e0f60796f1d57c6e516cca14fc

    • SSDEEP

      786432:+yS2qHe93TkaKlV0zik3gPqdOIEPh5eI0glAf69QEx+ExtOjPrnyl1tlfd9sQo:+v2PS5kwPoOlPhUI0gCC9L6jLqFTs7

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

    • Stealc

      Stealc is an infostealer written in C++.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks