Overview

overview

10

Static

static

3

orden010221.exe

windows7-x64

10

orden010221.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9a5156e6c02ef71536fa26d7a19883d_JaffaCakes118

  • Size

    413KB

  • Sample

    240819-fe8xasycqn

  • MD5

    a9a5156e6c02ef71536fa26d7a19883d

  • SHA1

    b96331803fb42f5732d1c3dd5961f2dd24960334

  • SHA256

    4f8719454a5d66f66217862dfa00f945e23fa900ebbb2a15020e95d1456d9e8f

  • SHA512

    18bb6b8d2edd878eab033a6c1d5de730d9ece114474520996bbcae5fcd9cfee6834d753d288c58bf030ff544d70b42260489f9aa3d172c5c7798bafbd6cf0b32

  • SSDEEP

    6144:hHxV+CnbBGYyu3b31ncqvR3hTfwzka3ztI0jV2fo+8RoG7tswzLrQqGm+69jU:bkCnw63b3BhTfKztIffrG7qcvDhjU

Score
10/10
404keyloggercollectioncredential_accessdiscoverykeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.maccinox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    peru2016

Targets

    • Target

      orden010221.exe

    • Size

      482KB

    • MD5

      d35463b27bc9d531685c21d6b25bcb23

    • SHA1

      44222b7cc9de3847bef8c6b5f5639a824edbaf7b

    • SHA256

      2348ad3a4247f29ff40fbbdcbf559dedf6396e2fda0a1a9693d48fa0f0bc14b7

    • SHA512

      de042bf76e89376c444b58f1ac055ca60306d1526c9cbd5de17334b8b6923098d67002b8579565347f7c1790da25b8ac0a32ba05647be84abe414c47f860c365

    • SSDEEP

      12288:gb09CXxbZi970MGS33h3fIzRIBfzG7qCv7d6:gUIbZnSnhHfzGuCDI

    Score
    10/10
    404keyloggercollectioncredential_accessdiscoverykeyloggerspywarestealer

    • 404 Keylogger

      Information stealer and keylogger first seen in 2019.

      stealerkeylogger404keylogger

    • 404 Keylogger Main Executable

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks