Overview

overview

10

Static

static

10

Hollow.nova7.4.exe

windows7-x64

7

Hollow.nova7.4.exe

windows10-2004-x64

9

main.pyc

windows7-x64

3

main.pyc

windows10-2004-x64

3

Resubmissions

10-09-2024 14:18

240910-rmqlgayflc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Hollow.nova7.4.exe

  • Size

    18.4MB

  • Sample

    240910-rmqlgayflc

  • MD5

    0eccd228c2645b50e28cc82d81d59fbd

  • SHA1

    81f33dad7cf167c36630da3f4ba249f482523fb4

  • SHA256

    a0109b2dbaa9d58fa022090d798d800fa5edbc429a04c10e83bd833890d4cb89

  • SHA512

    d71faf3c32402756776361e01ef8f84c57e87c4a1845aec0cf67806be5ae520e1f0721e45925677beaba08c9138ac04aaeaca1e37d1b61ab59004b822e74a3e3

  • SSDEEP

    393216:qqPnLFXlr9QpDOETgs77fGaQgzxTvEu4SVjNL6q:/PLFXN9QoE7gWicdxr

Score
10/10
empyreancredential_accessdiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Hollow.nova7.4.exe

    • Size

      18.4MB

    • MD5

      0eccd228c2645b50e28cc82d81d59fbd

    • SHA1

      81f33dad7cf167c36630da3f4ba249f482523fb4

    • SHA256

      a0109b2dbaa9d58fa022090d798d800fa5edbc429a04c10e83bd833890d4cb89

    • SHA512

      d71faf3c32402756776361e01ef8f84c57e87c4a1845aec0cf67806be5ae520e1f0721e45925677beaba08c9138ac04aaeaca1e37d1b61ab59004b822e74a3e3

    • SSDEEP

      393216:qqPnLFXlr9QpDOETgs77fGaQgzxTvEu4SVjNL6q:/PLFXN9QoE7gWicdxr

    Score
    9/10
    upxcredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      main.pyc

    • Size

      7KB

    • MD5

      0009fff420b6a8c3491c4a5e86aedb14

    • SHA1

      930c1697b367bc1255af660e6c4d8c55997bc474

    • SHA256

      e9cfb73d310e54180b8267f2ef656428d093ca7bc78a782a42a7d4e37ac69e7f

    • SHA512

      0dc848b794e0e2aba732792b02ff7e6150dadd09721500649908bf6721de54650514aca9f41b56bbcc248f4f5fb2fedb8706b8baab767f3cee29b492394ea30b

    • SSDEEP

      192:w5RC50XP28D89qVtaZWdXwa1fb6qU+VWXEJhwmQhfNFTMdwu+Anw:N0XPsKSWusfGqYY27NFTPuHw

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks