General
-
Target
nkemchui.exe
-
Size
37.6MB
-
Sample
240903-p82vhsycnb
-
MD5
42709de634c80cb7d5ce1df21970ac8d
-
SHA1
09f4264988e6bc7472dd43b70d45b17d465c5e73
-
SHA256
19be7a745afa10fcc05ba050951318fb3d2da79f1b67c52926d88410464021df
-
SHA512
eaf1332b6bbc1b646d7695aa6460b2e39e200aa19fceef5b0129a0e8433311587261121976461655da6f3623a445fe4556a20938c948726b4525bce5cd0c5c41
-
SSDEEP
393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mge96l+ZArYsFRlCPm:R3on1HvSzxAMNeFZArYsqPvE7OZgKMH
Malware Config
Targets
-
-
Target
nkemchui.exe
-
Size
37.6MB
-
MD5
42709de634c80cb7d5ce1df21970ac8d
-
SHA1
09f4264988e6bc7472dd43b70d45b17d465c5e73
-
SHA256
19be7a745afa10fcc05ba050951318fb3d2da79f1b67c52926d88410464021df
-
SHA512
eaf1332b6bbc1b646d7695aa6460b2e39e200aa19fceef5b0129a0e8433311587261121976461655da6f3623a445fe4556a20938c948726b4525bce5cd0c5c41
-
SSDEEP
393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mge96l+ZArYsFRlCPm:R3on1HvSzxAMNeFZArYsqPvE7OZgKMH
Score9/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
An obfuscated cmd.exe command-line is typically used to evade detection.
-
Enumerates processes with tasklist
-