Resubmissions

29-08-2024 11:14

240829-ncgc9sybpe 3

16-08-2024 20:51

240816-znlb5szdrr 3

16-08-2024 20:19

240816-y36e7aybqm 9

15-08-2024 16:42

240815-t758rssbrb 8

15-08-2024 16:35

240815-t3qbra1hnh 5

11-08-2024 20:08

240811-ywkj5swbjq 10

11-08-2024 20:05

240811-ytzw2swalk 5

05-08-2024 09:44

240805-lqwn1awglf 8

05-08-2024 09:38

240805-lmhmzawfmf 6

General

  • Target

    http://bing.com

  • Sample

    240815-t758rssbrb

Malware Config

Targets

    • Contacts a large (879) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Detected potential entity reuse from brand steam.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks