3ca8477e1531b2b78918ca1ee79d9b80b03bf0919a9eeec25f7a549398fc7e67 | Triage

Sharing

General

Target

Cyberduck-Installer-9.0.1.41941.exe
Size

58.2MB
Sample

240902-ylvx5axbqa
MD5

9d556822d19188ebf46bfce9954b024b
SHA1

f034c8a49fbfef0b8d3f7bfc17f67452ddb2700a
SHA256

3ca8477e1531b2b78918ca1ee79d9b80b03bf0919a9eeec25f7a549398fc7e67
SHA512

8b46007aafa0d9f6178abbb55d0d30cc4d5ff79ed21eaefc348dbd92b7873b1b21b29f65b7b2b901668001228bf93f19034b2eb5fe66f7b0c6adec3f27189253
SSDEEP

1572864:OIdxLjZUEgQ86OU5gr0uZURLSacV87DrKA0KWkh0G5FyN/57bYhHafhi:V9U20BZSS3iaS5cx0Hafhi

Score

10^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  Cyberduck-Installer-9.0.1.41941.exe
- Size
  
  58.2MB
- MD5
  
  9d556822d19188ebf46bfce9954b024b
- SHA1
  
  f034c8a49fbfef0b8d3f7bfc17f67452ddb2700a
- SHA256
  
  3ca8477e1531b2b78918ca1ee79d9b80b03bf0919a9eeec25f7a549398fc7e67
- SHA512
  
  8b46007aafa0d9f6178abbb55d0d30cc4d5ff79ed21eaefc348dbd92b7873b1b21b29f65b7b2b901668001228bf93f19034b2eb5fe66f7b0c6adec3f27189253
- SSDEEP
  
  1572864:OIdxLjZUEgQ86OU5gr0uZURLSacV87DrKA0KWkh0G5FyN/57bYhHafhi:V9U20BZSS3iaS5cx0Hafhi
Score

10^/10

discovery evasion persistence privilege_escalation spyware stealer
- Modifies firewall policy service
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalationspywarestealer