General

  • Target

    Client.exe

  • Size

    566KB

  • Sample

    241015-rdms8aybqe

  • MD5

    2d8b62a3c80564246fb137a03c46c695

  • SHA1

    6b6ece02f2023b54377fd84212899384c660fe38

  • SHA256

    5bf28baffbc63b7ff0df28a03a7b19687b7d101493361b8007243059dd11fb64

  • SHA512

    92981065a7b1ffdfccbf838fbca5d5e467b596f069b46105090a3f0c64fbe4fbe82adbd088ee68ceb8b74f34226014ca84659fe15521f71ed6eaf986df2ac359

  • SSDEEP

    6144:9PoTxMqfK2navc5DFV66fe6VlWT8b9dP4ZbpTU05CPwC0Jr/6bH1tsGidMMf8:9wcUBFQ6fPVle8QpTUZ0J7QOvMU8

Malware Config

Targets

    • Target

      Client.exe

    • Size

      566KB

    • MD5

      2d8b62a3c80564246fb137a03c46c695

    • SHA1

      6b6ece02f2023b54377fd84212899384c660fe38

    • SHA256

      5bf28baffbc63b7ff0df28a03a7b19687b7d101493361b8007243059dd11fb64

    • SHA512

      92981065a7b1ffdfccbf838fbca5d5e467b596f069b46105090a3f0c64fbe4fbe82adbd088ee68ceb8b74f34226014ca84659fe15521f71ed6eaf986df2ac359

    • SSDEEP

      6144:9PoTxMqfK2navc5DFV66fe6VlWT8b9dP4ZbpTU05CPwC0Jr/6bH1tsGidMMf8:9wcUBFQ6fPVle8QpTUZ0J7QOvMU8

    • Modifies WinLogon for persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks