Overview

overview

10

Static

static

1

BrowserUpdater.lnk

windows7-x64

10

BrowserUpdater.lnk

windows10-2004-x64

10

Resubmissions

07/08/2024, 21:06

240807-zxvl6sxfkf 10

06/08/2024, 20:12

240806-yzbfmssgqc 10

06/08/2024, 19:51

240806-yk45eaydrn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BrowserUpdater.vhd

  • Size

    6.0MB

  • Sample

    240806-yzbfmssgqc

  • MD5

    5714c27e55d82b9ff9d92c04eee9570e

  • SHA1

    78484dac3651e19d92bbd717769c696cae5da1ba

  • SHA256

    1e3c17c2b74ad7d0e3f646ec9fe2a5bb6bd9a2f5a2cf02c02fc4b5d432dede69

  • SHA512

    a63f236285d98375b904dddc1fa4db4ccbd7988b00f19690127bd93cbe7f759ed7fe80b0b4d1d1e4d86384c5f8496e7b80e9dc1e75692c68e3b7f7834a472189

  • SSDEEP

    96:fYgvmJUX3S7OkUX3S7OdyHywJOSk58/AQcsgffVxfA2NrXl:fFvuUnS7vUnS7GyHfJOSk5aAQlglJ

Score
10/10
credential_accessdiscoveryevasionexecutionspywarestealer

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://redr.me/g3boil/

Extracted

Language
hta
Source
URLs
hta.dropper

https://redr.me/g3boil/

Targets

    • Target

      BrowserUpdater.lnk

    • Size

      2KB

    • MD5

      7ed0b7e22f568d2eedaf956ba831d0a6

    • SHA1

      c073465e6ca109f2069f2e26f28525e66da54bee

    • SHA256

      7a6ad3868f0223896ceea378a056b2568ad6f6ca2e65baaa7b55e1033da3abd7

    • SHA512

      c718e67fb2554d7bbbac60a1a3dae6fe6bcdf4c06c0cababd8b623d52f1d306f9441c27deaaff269e129fb0dcecb17430480b1941b14d95a01d3ffd4c87887cd

    Score
    10/10
    executioncredential_accessdiscoveryevasionspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks