General

  • Target

    RiskPlatform.zip

  • Size

    270.6MB

  • Sample

    240814-pxwjcssflc

  • MD5

    4338b4e47dfd10a794d62b8f0eaf5501

  • SHA1

    60ed574567fff35defb8bcd71b004565a9f69b06

  • SHA256

    29056c71459cc32452ab76136f8c79f206d8f3144ef8c6b83a4db8f531b90625

  • SHA512

    f3ee76ce5ea6335b4d9616af31de99d6d65487be641aa5517493aa2b346066a5798ea185539e1c59b8ba7b98b4d3474d37d705d49f2bb37fba19772da267e508

  • SSDEEP

    6291456:tRKbfZmOtdvMKEmOBajygGl2lSTX6im1jU0iKp7XWP9:tQ7v53EJBajyg2TXQVU0hGF

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      RiskPlatform.zip

    • Size

      270.6MB

    • MD5

      4338b4e47dfd10a794d62b8f0eaf5501

    • SHA1

      60ed574567fff35defb8bcd71b004565a9f69b06

    • SHA256

      29056c71459cc32452ab76136f8c79f206d8f3144ef8c6b83a4db8f531b90625

    • SHA512

      f3ee76ce5ea6335b4d9616af31de99d6d65487be641aa5517493aa2b346066a5798ea185539e1c59b8ba7b98b4d3474d37d705d49f2bb37fba19772da267e508

    • SSDEEP

      6291456:tRKbfZmOtdvMKEmOBajygGl2lSTX6im1jU0iKp7XWP9:tQ7v53EJBajyg2TXQVU0hGF

    • Detects Strela Stealer payload

    • Strela stealer

      An info stealer targeting mail credentials first seen in late 2022.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Drops file in System32 directory

    • Target

      RiskPlatform/Palisade_Course.lic

    • Size

      405B

    • MD5

      066ac70d36c8366513498d5bd1affeeb

    • SHA1

      c4cf43b1ace6d981c1a6250445ccde4c3c266e51

    • SHA256

      1d785931bbd20c2a606f3994fa6dfd4e73d531683573cf35d103f1e636ee3f71

    • SHA512

      3c9f37e589ca851133b3d99a62665c1006ea48b6c81b396cd66514ad6c18397ffe14738094194ee026b284517fdcbf5bf48b65d9ca22f088b7cbced486cc43a6

    Score
    3/10
    • Target

      RiskPlatform/RiskPlatform-cust-Setup (1).exe

    • Size

      271.2MB

    • MD5

      be2b654c77086aa5baa154d2f8639c5d

    • SHA1

      5b36a274c86f1034c120f5a7e4a689125c609d65

    • SHA256

      f43c22f15b646ff3959c6f6f3da5bf98f096865190f35bca6a7dd7cad67a3dcf

    • SHA512

      7bb23bc848a3573df1004804f7e400ab619437c11b38ca87f863917f600ec5287891dd4c51b946b2a9473ac1d26e53c5c5afb9bb4c1c71e2c30e7edf96ef1e79

    • SSDEEP

      6291456:oZTrrpe49836sgMdytGmc3SVyB9ueg9hUKw0LNz+3R:o9/18KsHdytGmaB9aPUKrCB

    Score
    6/10
    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks