General

  • Target

    b1c8ea27ae819eecf5517c6aed222e9d.exe

  • Size

    2.6MB

  • Sample

    241014-1txg2aycqd

  • MD5

    b1c8ea27ae819eecf5517c6aed222e9d

  • SHA1

    132c66bab9a1666f49963c3da9b37d73eba4a43b

  • SHA256

    4f487e7b86b7c1dcf52cb3016dda1c1a13c1489edd6f235836268d61834450d9

  • SHA512

    1cdae52ee45bbe91403c9df4f38db5ddb2822b11348a0acc99a0af51df9a9b4ef7fe2f574ddc73aa83f7eb73f146baff1a5cdcf73bd23ac237dd5dcd3d39482a

  • SSDEEP

    49152:ON8JWqOQE1IEmQfIvITTT7VrKMMS8thwvrxXiN4MUtkzBqTdD/AG:OFqs1QrwPThrn8tE9PvKqTdz

Malware Config

Targets

    • Target

      b1c8ea27ae819eecf5517c6aed222e9d.exe

    • Size

      2.6MB

    • MD5

      b1c8ea27ae819eecf5517c6aed222e9d

    • SHA1

      132c66bab9a1666f49963c3da9b37d73eba4a43b

    • SHA256

      4f487e7b86b7c1dcf52cb3016dda1c1a13c1489edd6f235836268d61834450d9

    • SHA512

      1cdae52ee45bbe91403c9df4f38db5ddb2822b11348a0acc99a0af51df9a9b4ef7fe2f574ddc73aa83f7eb73f146baff1a5cdcf73bd23ac237dd5dcd3d39482a

    • SSDEEP

      49152:ON8JWqOQE1IEmQfIvITTT7VrKMMS8thwvrxXiN4MUtkzBqTdD/AG:OFqs1QrwPThrn8tE9PvKqTdz

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks