General

  • Target

    SilverBullet 1.4.1 [Pro].zip

  • Size

    42.3MB

  • Sample

    241004-n13amssdpp

  • MD5

    919770fb7387818cf80cb79bb53bbb0c

  • SHA1

    fd8c22185f28d6585225295884cb1495dad44cdd

  • SHA256

    cf44f5c1dc5bfccb23436149f3de5f4292fc141a9ec7f5349c5e31b2b483c176

  • SHA512

    263081395c4239c5a6aeaae6903d97d7675e6d4875069d128b842074575e906cf255fb3394420b99a75243e70d4bbf35123801f4b26be29acaaaa74d27e4bcfb

  • SSDEEP

    786432:wTSVngzDC5rtFu4gUTg0NzoGQPTO1MJTKT9uoq7NbqklvyaoAH1Gftmmo0:LceFu32OPa1LqZmklq2oZ

Malware Config

Targets

    • Target

      SilverBulletPro.exe

    • Size

      582KB

    • MD5

      7792204600db976484caa3992b121b30

    • SHA1

      9b343f3c67b13d9632ed862ee010a2aff0c6810c

    • SHA256

      a1a301d6a034b7a656b955d18191cd817f255a918d92994678728a5b1b0367e8

    • SHA512

      bd711debe936b21130dfdd273a117cb0c5d31bfc972dbe89827546c4210d6b19aaf6ce287ff502112c9796be07300147079f29ef334fdd1691dfded0e9f98920

    • SSDEEP

      12288:Qtzww69TdCahIRMJuAfki/U7vsBqpq/S1Q:owNTd16M0/i/U7vqqpU

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      errorlog.exe

    • Size

      613KB

    • MD5

      ab216b4212f3f27e41b26259a830c777

    • SHA1

      e2550a35cf1e4f6f08e28c43a6437fad6cc60711

    • SHA256

      62ef275d396e894861167bd16ffa5fa78773f698447b51315ad84c9c5ff1f0d6

    • SHA512

      d9b20fa1e0714232b9ad6683951991da3da98c294f8e62b441557b062229bd0a19e127a8e071a30b4033932bb400a4853f7866e3774f134f50538b95b5535bb6

    • SSDEEP

      12288:hDToXd0Y8NahIRMJuAfki/U7vsBqpq/S1:xoz8A6M0/i/U7vqqp

    Score
    1/10
    • Target

      host.exe

    • Size

      6.9MB

    • MD5

      906e8cc6ac10240f8eeae1638a610575

    • SHA1

      e13f28d6c04107f533dff9583cc65464263292de

    • SHA256

      3758473eb45e5d8b24d6c2a36d65b10a71652a2accd7ce6fba916b24e754a77e

    • SHA512

      2a73ea78a0bab159ba952af5223d573afc1ef683813cda6b7d4e6a5f53b5f2f40447b3b9e25cd31f4b7139fd3be8343041153b874d7cb37fcd4e77bcec3d91fa

    • SSDEEP

      98304:lRmDjWM8JEE1rdAamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeR8YKJJcGhEIK:l00NBeNTfm/pf+xk4dWR8trbWOjgs+P

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      x64/expections.exe

    • Size

      49.1MB

    • MD5

      e31a089b094ea6538148195df6ca7673

    • SHA1

      9c6b3139d64f45907dc4cb51fdd1dc0347842f93

    • SHA256

      2f209ea2d5c80892a323bd77a301de210026fb6d0d4bac2ea680f57830095d91

    • SHA512

      0ae70e86ce8d5864ea6da33334343133a7bf13da2be4c19dc19ed2120d8fc0e94029d671ce9be56866c6b47d64e72ddce98ae089d0f085784a862b9523f48ec9

    • SSDEEP

      393216:VMh9Sl6eQnIhATeD+C/pW/cRhuX9BVeZW2pRR5uH6+:M9kQI+qD+C/pWsuX/eZ4a

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      x64/leptonica-1.82.0.dll

    • Size

      3.9MB

    • MD5

      497e0275a17d6524542fd4191bbadeea

    • SHA1

      c7cc2a6f38391680bffa67588829802efef4c7d4

    • SHA256

      a477273302efc8ad7f82fc3c0d33f54626a26a66e933d03699cd921aa35ff012

    • SHA512

      91876dbd7cd42c7fa740d508d6fb7ad0d31bde6524fe4d474d3662ddf4bcab2742d8c27482a6b6c220f3bc7d10189f91b0ce6711723adf753f788fd705636749

    • SSDEEP

      49152:mswZaNhoxIIoJ2YQ8km8I72iHWj1nbH8n2akRhd0VtXOBxYd5NNNT/Q8mI7G2U5W:ph8p1bHAuYd/NNTJ

    Score
    1/10
    • Target

      x64/runtime.exe

    • Size

      13.2MB

    • MD5

      a4fd5040db03f0c04306ab7824320269

    • SHA1

      32a4e4f1c7d0c0fe1be81bddecafeb2303a8227b

    • SHA256

      52c7c34bcc42c907a275f706cde7c03eab24287f3aec081f0bd88780de131e7c

    • SHA512

      ca00c6c4cbd5dab079ce204f9adabba1c748869d79a172bdf8aa434aa97de4c3627273208ecd970159eae432e5e3bf69e7e860a9cae07e5a7918c98cd1d0e9c2

    • SSDEEP

      393216:AIEkZgf8iq1+TtIiFGvvB5IjWqn6eCz1lypRXiWCoaa:rRbiq1QtIZX3ILn6esyaVoaa

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

    • Target

      x64/tesseract53.dll

    • Size

      2.6MB

    • MD5

      273038c2b425b6b089a172efca63e128

    • SHA1

      288fe02355f1da5102645f7743ebd9934ea6871f

    • SHA256

      bd5444629d4bbe297c3bde98efbc9c0ffe8eb2660a0b051d44841b7fd2430a39

    • SHA512

      9f34bafaa997394f835671b365b526a6dae666e1d09d03bc6342671eee1b16ffe97036799cefb7d9e040042ae4c0ff813296480937d6c3fd43e7e0fda99e1f27

    • SSDEEP

      49152:4sqZW+PFy5JRo1NFtzVnqwnC1bGnlVl//vV9qdx20FH6dk6UV+:tcDZjAKntgZz6UV

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks