General
-
Target
r6_injector.exe
-
Size
116KB
-
Sample
240905-rvh7cstdjb
-
MD5
1fdd133509b97f752ee0f2c99b0366d7
-
SHA1
3224a05feb22662e28c2417e07f6ed256ead775d
-
SHA256
5e5bd13d191204db8cf3764a17929a1f00741a369bdcd4a3c5067bc37054673c
-
SHA512
103de1970b04c57c836772d328587fce2c8a7e7d2ada6762c4e9029a471ed52f29b2cd67830e3328279fdce1179365fb9765229cb2dc79b2658576273e6df6ae
-
SSDEEP
1536:PAO9JW77h/X2ajd32SBlh7uTq9H/sCzdZRnJfIyJS2gR5mrlec9CRgbcRdqFHXfx:yxCW9HbRnNIegR5mrl1MROZZfkYCIiJ
Malware Config
Targets
-
-
Target
r6_injector.exe
-
Size
116KB
-
MD5
1fdd133509b97f752ee0f2c99b0366d7
-
SHA1
3224a05feb22662e28c2417e07f6ed256ead775d
-
SHA256
5e5bd13d191204db8cf3764a17929a1f00741a369bdcd4a3c5067bc37054673c
-
SHA512
103de1970b04c57c836772d328587fce2c8a7e7d2ada6762c4e9029a471ed52f29b2cd67830e3328279fdce1179365fb9765229cb2dc79b2658576273e6df6ae
-
SSDEEP
1536:PAO9JW77h/X2ajd32SBlh7uTq9H/sCzdZRnJfIyJS2gR5mrlec9CRgbcRdqFHXfx:yxCW9HbRnNIegR5mrl1MROZZfkYCIiJ
Score9/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1