Overview

overview

8

Static

static

3

Avira Phan...31.exe

windows7-x64

8

Avira Phan...31.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Avira Phantom VPN Pro 2.41.1.25731.kuyhAa.7z

  • Size

    7.2MB

  • Sample

    240821-zk8y2azcpd

  • MD5

    07f25861b7118c243ed05a75d79a8492

  • SHA1

    65b72c0c0fa9d1fd6b00964faf7dd0b45ad10a45

  • SHA256

    3d829d5826297e66e2471fa4c0b4a7fc23e784ca1cdca0288c435f367bb912d1

  • SHA512

    4ce43f32ab7271f1c9e7bcf8722f2ecb1b46a1e48dcd618c59edc8c51401890590b4d89e0ce489dee2264f64968941f6905b9a31d57abdef262a1ca2741a48c8

  • SSDEEP

    196608:L8+XQMbvtkVzQTl+Kx4x9/LUP1oLaF5s3iR0GsIdyt:L8kxvGVzs+1oPmGFXegdyt

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      Avira Phantom VPN Pro 2.41.1.25731.kuyhAa/Avira Phantom VPN 2.41.1.25731.exe

    • Size

      7.2MB

    • MD5

      bf245b7db7637e6b2991105f62cc76de

    • SHA1

      1d7252929d5c4cb404a34e553b72757729c701d5

    • SHA256

      c414e764c53a81c6beb2c393635044661da238380492c182162b37f3e82a8c89

    • SHA512

      08380e7ab2012f453ec4cb72646ca3a920d32f2f253f5c956b239780d1d08e434c4353580f6f9c95317b0e76810bc9351def59039350b96a4d989ece80722076

    • SSDEEP

      196608:cI+4fSWrh9ry+5jCyVCavZ7jnEDHGV6uXVM4Fz6Krg:cIBZrXryiC8fnImV1zIKrg

    Score
    8/10
    discoveryevasionexecutionpersistenceprivilege_escalationspywarestealer

    • Creates new service(s)

      persistenceexecution

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks