27120c50d8beca9b037c8a191147654a6d5baeacb6a07110081687d058204afd | Triage

Sharing

General

Target

27120c50d8beca9b037c8a191147654a6d5baeacb6a07110081687d058204afd
Size

239KB
Sample

240920-xvcbpssgre
MD5

5845db51b5dd9d17ae390cf0ee34e67b
SHA1

973134067cddaffe656a2f83a91693c0c6f0ee8e
SHA256

27120c50d8beca9b037c8a191147654a6d5baeacb6a07110081687d058204afd
SHA512

bc053bd22fda9b57e9f99d984ad1f1a1861aa78eebb1ee43c5871c8fe53b438432f645b0fc6905f6cfa0f52a90003a5f0475d04243e6320441d61b0ea029f12d
SSDEEP

3072:hsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwR1l9B4hTb:GR5IuMQoseGk7RZBGxAycKpSPX2pUF

Score

10^/10

credential_access discovery evasion persistence spyware stealer

Malware Config

Targets

- Target
  
  27120c50d8beca9b037c8a191147654a6d5baeacb6a07110081687d058204afd
- Size
  
  239KB
- MD5
  
  5845db51b5dd9d17ae390cf0ee34e67b
- SHA1
  
  973134067cddaffe656a2f83a91693c0c6f0ee8e
- SHA256
  
  27120c50d8beca9b037c8a191147654a6d5baeacb6a07110081687d058204afd
- SHA512
  
  bc053bd22fda9b57e9f99d984ad1f1a1861aa78eebb1ee43c5871c8fe53b438432f645b0fc6905f6cfa0f52a90003a5f0475d04243e6320441d61b0ea029f12d
- SSDEEP
  
  3072:hsXRmUIMitiMQose27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwR1l9B4hTb:GR5IuMQoseGk7RZBGxAycKpSPX2pUF
Score

10^/10

credential_access discovery evasion persistence spyware stealer
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

credential_accessdiscoveryevasionpersistencespywarestealer