Overview

overview

10

Static

static

1

Wasper Setup.exe

windows7-x64

10

Wasper Setup.exe

windows10-1703-x64

10

Wasper Setup.exe

windows10-2004-x64

10

Wasper Setup.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Wasper Setup.exe

  • Size

    51.9MB

  • Sample

    240804-cdxk4axdle

  • MD5

    a421f09731bc163abba8b85e660499e1

  • SHA1

    20dcf24c99b169a9b47c8f390e40508040a259b1

  • SHA256

    5f0637ae587d8dde726b69838ada990c771bf8c2a725e57e2a72c2d2165f0806

  • SHA512

    4d07fc1b1b441fd566e44f34442230d613e54e5987770aed58e458a3e3e8c64672dfdc58c394fde994f66d359db9b5e16e5d35f1319bf35a22d478762de68e32

  • SSDEEP

    1572864:R2eFjiaFO3kVFQXKuhsxCEmGhq3Nb2vBe6OkYiYhol0Yx:LFO93kVFx8sxCEmGU3V1zk8holzx

Score
10/10
hijackloaderrhadamanthysstealcwasp2credential_accessdiscoveryloaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

wasp2

C2

http://45.152.112.103

Attributes
  • url_path

    /1cf3aa1810feeb67.php

Targets

    • Target

      Wasper Setup.exe

    • Size

      51.9MB

    • MD5

      a421f09731bc163abba8b85e660499e1

    • SHA1

      20dcf24c99b169a9b47c8f390e40508040a259b1

    • SHA256

      5f0637ae587d8dde726b69838ada990c771bf8c2a725e57e2a72c2d2165f0806

    • SHA512

      4d07fc1b1b441fd566e44f34442230d613e54e5987770aed58e458a3e3e8c64672dfdc58c394fde994f66d359db9b5e16e5d35f1319bf35a22d478762de68e32

    • SSDEEP

      1572864:R2eFjiaFO3kVFQXKuhsxCEmGhq3Nb2vBe6OkYiYhol0Yx:LFO93kVFx8sxCEmGU3V1zk8holzx

    Score
    10/10
    hijackloaderstealcwasp2credential_accessdiscoveryloaderspywarestealerrhadamanthys

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks