General
-
Target
incognito.zip
-
Size
39.5MB
-
Sample
240930-cpqxpasflq
-
MD5
48d2d534b1789cdc760bb515777ef528
-
SHA1
7c84a24a8be3f70adf4af19d39ac29e232ec4332
-
SHA256
caabd3afad17cae8fb2ccc4a3c91dcc7424046c013debf5ddd8af5446eadb556
-
SHA512
dfc6eea6c91808cb1287605eb4008a750a68c5d5882771dc479b9bc725511675395a3191e39924eb5cb1d7bb11cefcc8eb83fef1eab37df81f364c75196cb86f
-
SSDEEP
786432:PXRndPJ5FNkiAWRIoP2qXyvWnk1XBHOECXqVWCaaE8qJG9SQ:5ndBbRAWRIoP2qXuW8VCXqVHaaEQAQ
Malware Config
Targets
-
-
Target
incognito/incognito/bin/incognito-luau.dll
-
Size
1.3MB
-
MD5
157fd035b2a344a94166d7db3756df0e
-
SHA1
f221d28c1deb80b4e8d9201226435aefce6b0f75
-
SHA256
8716c75aff75941711aff8770836f47eb9a254416089ef3571c6fc9a338b3009
-
SHA512
fad0174fbd22f58dd4fcdaad8378c214270b4faeaca64d9cb306f50e9316072a4c417c5723c4123b8bf94a3dba6ef4e3303ec60f4a2cf0c3a54d8ab375ea717d
-
SSDEEP
24576:ZqBSLRktEBl6blwTUMD4zB1VU2bFjYWR0pMQUAqLRAovh4bSAXVVRNRfMXZO:ZqBSLRkt8l6blSU//+2bFfvA1SQVVRNk
Score1/10 -
-
-
Target
incognito/incognito/incognito.exe
-
Size
38.8MB
-
MD5
59f8e658cf34334dd88a8f67da31ba85
-
SHA1
bddb50c2de10bd5a1d06c667e7b9c7cdd68fdd89
-
SHA256
780329f1842fdde4f7a215ea3c597d5c90e969d538756bb837fa20af17f8947f
-
SHA512
c56ccdbdd3d803c3763505bef40258a9c9c10f03f92490c21226e39aa628a1a081664d26543db6007f25d1650233d45c37c327e3ba77df95e2ba57680e3deee5
-
SSDEEP
786432:yPLFXNfh50sQhEwLuDtQPux6F2Bf5aFMR8DoewQW650F:2LFdJ5QhE8uDtquGhMR8DdwQW7
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1