Overview

overview

10

Static

static

10

420.exe

windows10-1703-x64

7

Midnight.exe

windows10-1703-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    midnight and 420.rar

  • Size

    42.7MB

  • Sample

    240818-df1afavbrp

  • MD5

    63005cb24c7ad7a1a57c645bd64b0615

  • SHA1

    785e854991898148f2062aa6425f1e4d06f147eb

  • SHA256

    bcbb5c397e12827f11b0536fd4bff37a1d6629242924b69c41868e8429860279

  • SHA512

    bced4d9a1c732d6173cb54284c82675d81b346a7d1cdc7a140ef7af1094cae90da6bd39109ce6c69bf13b90a4a2e9a7c016df2dd794f043012f2037e5ead896c

  • SSDEEP

    786432:89uI8A4EeeycuO54f+t5+1DAVDpON+9uI8A4EeeycuO54f+t5+1DAVDpONo:T7NyKmt5+1ewNt7NyKmt5+1ewNo

Score
10/10
empyreancredential_accessdiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      420.exe

    • Size

      21.5MB

    • MD5

      7082f7c7b7adf3f6bc825715ad3bd3fa

    • SHA1

      aa22e15be3f04b820f75393e84c92709dda4e75f

    • SHA256

      2929f4cd18312435d3d4198e2ac2961de365e036555020109a884822a9228fd5

    • SHA512

      99083ab893273aceb6b015fffa4c89f9cfd770ffa0c626c16346290ee4b66248980a26a7a2671e6ecb6d7268de949b21afca7ebe0494892dae5afc66125114f9

    • SSDEEP

      393216:aqPnLFXlr4ChH79E2FXQ8DOETgs77fG8KgjnFvE46i5Tk5zXYm:vPLFXN9brFQhE72c6KTk5x

    Score
    7/10
    upx

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      Midnight.exe

    • Size

      21.5MB

    • MD5

      7082f7c7b7adf3f6bc825715ad3bd3fa

    • SHA1

      aa22e15be3f04b820f75393e84c92709dda4e75f

    • SHA256

      2929f4cd18312435d3d4198e2ac2961de365e036555020109a884822a9228fd5

    • SHA512

      99083ab893273aceb6b015fffa4c89f9cfd770ffa0c626c16346290ee4b66248980a26a7a2671e6ecb6d7268de949b21afca7ebe0494892dae5afc66125114f9

    • SSDEEP

      393216:aqPnLFXlr4ChH79E2FXQ8DOETgs77fG8KgjnFvE46i5Tk5zXYm:vPLFXN9brFQhE72c6KTk5x

    Score
    9/10
    credential_accessdiscoverypersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks