52a379af1fc57e3eaf903a52ce46e9beaba5d9e546ed9e9cc9c985b8b93c0d1c | Triage

Sharing

General

Target

Niko Tools.exe
Size

13.9MB
Sample

241009-qf57xazcpd
MD5

ff99d454791e3c075ce5785602103bae
SHA1

a87e0bf6120c8e9bbdece7dd469547e48d5dbc6a
SHA256

52a379af1fc57e3eaf903a52ce46e9beaba5d9e546ed9e9cc9c985b8b93c0d1c
SHA512

9752b027a8d30a805fc7a0933fb6b8d96316d1e9402875f0382e9dd2107ae007f13cb751f038acfd6778b004fb41bc6572315385ef1d6d7eea756382c96fe688
SSDEEP

196608:gHn/1TVrCm8pmYn10RQOX7m0l7yyPwSm/TVHJack+YlGlSRRbCv:gHn/1hx891Kjm0leyoSyacJYlTF

Score

8^/10

collection discovery execution spyware stealer

Malware Config

Targets

- Target
  
  Niko Tools.exe
- Size
  
  13.9MB
- MD5
  
  ff99d454791e3c075ce5785602103bae
- SHA1
  
  a87e0bf6120c8e9bbdece7dd469547e48d5dbc6a
- SHA256
  
  52a379af1fc57e3eaf903a52ce46e9beaba5d9e546ed9e9cc9c985b8b93c0d1c
- SHA512
  
  9752b027a8d30a805fc7a0933fb6b8d96316d1e9402875f0382e9dd2107ae007f13cb751f038acfd6778b004fb41bc6572315385ef1d6d7eea756382c96fe688
- SSDEEP
  
  196608:gHn/1TVrCm8pmYn10RQOX7m0l7yyPwSm/TVHJack+YlGlSRRbCv:gHn/1hx891Kjm0leyoSyacJYlTF
Score

8^/10

collection discovery execution spyware stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

collectiondiscoveryexecutionspywarestealer