General
-
Target
svchost.exe
-
Size
8.2MB
-
Sample
240928-x91mvawalf
-
MD5
22b419febd1e4681ae73128136b02c8d
-
SHA1
15e979738b23f3525f37f93b68061026fb232ef8
-
SHA256
e3f26dfb29607226d2cf66f4fe40b3a4dfb5c8545f06539e0cf4ecd59c25f989
-
SHA512
e9788db78833f6de83df389999ad00253a1f6f856c052966513dbe6397bf4064a14e6b833e95f3af3af3b4b9e9b5f0c606f77190e9c51acc72d69cfab19ed50e
-
SSDEEP
196608:p/gjyqrVEu2wfI9jUC2gYBYv3vbWhnF/+iITx1U6nK:ujyUVEu9IH2gYBgDWhn0TnzK
Malware Config
Targets
-
-
Target
svchost.exe
-
Size
8.2MB
-
MD5
22b419febd1e4681ae73128136b02c8d
-
SHA1
15e979738b23f3525f37f93b68061026fb232ef8
-
SHA256
e3f26dfb29607226d2cf66f4fe40b3a4dfb5c8545f06539e0cf4ecd59c25f989
-
SHA512
e9788db78833f6de83df389999ad00253a1f6f856c052966513dbe6397bf4064a14e6b833e95f3af3af3b4b9e9b5f0c606f77190e9c51acc72d69cfab19ed50e
-
SSDEEP
196608:p/gjyqrVEu2wfI9jUC2gYBYv3vbWhnF/+iITx1U6nK:ujyUVEu9IH2gYBgDWhn0TnzK
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3