1e3c17c2b74ad7d0e3f646ec9fe2a5bb6bd9a2f5a2cf02c02fc4b5d432dede69

General

Target

BrowserUpdater.vhd
Size

6.0MB
Sample

240806-yk45eaydrn
MD5

5714c27e55d82b9ff9d92c04eee9570e
SHA1

78484dac3651e19d92bbd717769c696cae5da1ba
SHA256

1e3c17c2b74ad7d0e3f646ec9fe2a5bb6bd9a2f5a2cf02c02fc4b5d432dede69
SHA512

a63f236285d98375b904dddc1fa4db4ccbd7988b00f19690127bd93cbe7f759ed7fe80b0b4d1d1e4d86384c5f8496e7b80e9dc1e75692c68e3b7f7834a472189
SSDEEP

96:fYgvmJUX3S7OkUX3S7OdyHywJOSk58/AQcsgffVxfA2NrXl:fFvuUnS7vUnS7GyHfJOSk5aAQlglJ

Score

10^/10

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://redr.me/g3boil/

Extracted

Language

hta

Source

URLs

hta.dropper

https://redr.me/g3boil/

Targets

- Target
  
  BrowserUpdater.vhd
- Size
  
  6.0MB
- MD5
  
  5714c27e55d82b9ff9d92c04eee9570e
- SHA1
  
  78484dac3651e19d92bbd717769c696cae5da1ba
- SHA256
  
  1e3c17c2b74ad7d0e3f646ec9fe2a5bb6bd9a2f5a2cf02c02fc4b5d432dede69
- SHA512
  
  a63f236285d98375b904dddc1fa4db4ccbd7988b00f19690127bd93cbe7f759ed7fe80b0b4d1d1e4d86384c5f8496e7b80e9dc1e75692c68e3b7f7834a472189
- SSDEEP
  
  96:fYgvmJUX3S7OkUX3S7OdyHywJOSk58/AQcsgffVxfA2NrXl:fFvuUnS7vUnS7GyHfJOSk5aAQlglJ
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  out.vhd
- Size
  
  6.0MB
- MD5
  
  5714c27e55d82b9ff9d92c04eee9570e
- SHA1
  
  78484dac3651e19d92bbd717769c696cae5da1ba
- SHA256
  
  1e3c17c2b74ad7d0e3f646ec9fe2a5bb6bd9a2f5a2cf02c02fc4b5d432dede69
- SHA512
  
  a63f236285d98375b904dddc1fa4db4ccbd7988b00f19690127bd93cbe7f759ed7fe80b0b4d1d1e4d86384c5f8496e7b80e9dc1e75692c68e3b7f7834a472189
- SSDEEP
  
  96:fYgvmJUX3S7OkUX3S7OdyHywJOSk58/AQcsgffVxfA2NrXl:fFvuUnS7vUnS7GyHfJOSk5aAQlglJ
Score

1^/10
behavioral3 behavioral4
- Target
  
  BrowserUpdater.lnk
- Size
  
  2KB
- MD5
  
  7ed0b7e22f568d2eedaf956ba831d0a6
- SHA1
  
  c073465e6ca109f2069f2e26f28525e66da54bee
- SHA256
  
  7a6ad3868f0223896ceea378a056b2568ad6f6ca2e65baaa7b55e1033da3abd7
- SHA512
  
  c718e67fb2554d7bbbac60a1a3dae6fe6bcdf4c06c0cababd8b623d52f1d306f9441c27deaaff269e129fb0dcecb17430480b1941b14d95a01d3ffd4c87887cd
Score

10^/10

execution credential_access discovery evasion stealer
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Blocklisted process makes network request
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
behavioral5 behavioral6
- Target
  
  System Volume Information/WPSettings.dat
- Size
  
  12B
- MD5
  
  180b816e2572459f17781afb69001011
- SHA1
  
  a1c359386cc27618741600f0bb097e9f3879b261
- SHA256
  
  8d9013521ff515a10aa929989195a442bd4d78bd5b7aef89a5dd987b94411f9c
- SHA512
  
  02ae89704f0ade1164b4077d0f3d1f8c12829c2538acfad1f05fa9d7f2ce234fc61a74b7a2d5eb7dd4b6981c7a56c9806c8d18d48b6fc2d4ee1aa3e9f60f4982
Score

3^/10

discovery
behavioral7 behavioral8