Overview

overview

9

Static

static

3

FieroHack/...ck.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FieroHack (2024).rar

  • Size

    109.5MB

  • Sample

    240921-csheqa1arl

  • MD5

    6097ca78ff5fba8ce01d4e908fb71ad1

  • SHA1

    b20f256311436344cfd7377e825fac6116263a3d

  • SHA256

    eb7f5ab59d282632bb4ae4c9c0e6dac4aca1d2c106250fd0caefc93379329732

  • SHA512

    753313d3f75c7ac53e99fb7d00db223ca029ff560f15547029249cf81ebe2d8902abfdacbfb88e96499a7ae800f6b4a2313ebbbca87110eeb593bc89f4c05aae

  • SSDEEP

    3145728:l4M1LBcTluaQOkrrtZCXeVj5T4s2/hMTyEBy0/XoOtpkl:hc5RHkftAeVNTMIy69Ppu

Score
9/10
credential_accessdiscoveryevasionexecutionpersistencespywarestealer

Malware Config

Targets

    • Target

      FieroHack/FieroHack.exe

    • Size

      841.5MB

    • MD5

      4391a7a45800488b546cabf6a4de419b

    • SHA1

      3736dddcf7b8e9d92ce0fe4cca8943f837363474

    • SHA256

      02a694b8995187b59915bbc597b403431ada5255955531f03e5a8ed1a516872c

    • SHA512

      ed65614fec0639af9325caed915b7300a49780c166eeeadfb6fa158933ad09d3529e5b25da98ed5b6e95b9ac7ad5b3f171f358a27d73490a22181bcea61aa903

    • SSDEEP

      98304:W+dazBjv4Wls4S9sRJBGuPycYTTk6iG5:5dWBefaBG7G

    Score
    9/10
    credential_accessdiscoveryevasionexecutionpersistencespywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks