Overview

overview

10

Static

static

10

spoofink.exe

windows7-x64

7

spoofink.exe

windows10-1703-x64

10

spoofink.exe

windows10-2004-x64

8

spoofink.exe

windows11-21h2-x64

8

!f�>p��.pyc

windows10-1703-x64

!f�>p��.pyc

windows10-1703-x64

!f�>p��.pyc

windows10-2004-x64

!f�>p��.pyc

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spoofink.exe

  • Size

    8.4MB

  • Sample

    241016-fkw5patdje

  • MD5

    1489cbe726ac1c9450dc215f402c7095

  • SHA1

    978ccc8236f3ddc25b8508f72ff6eb0890a74206

  • SHA256

    871947f160ae8572a65796f206d46998cac353f17d4752436683099bc2688f42

  • SHA512

    9c84ba8e2884b71bcf83e5a85431cd6bc7300e79de7f8dda14ad8b70f29b227f6d1f3cde9f42c88685439c467dbbb552f75efca29280301267c798cf91287e9e

  • SSDEEP

    196608:NTcuYIHwfI9jUCzi4H1qSiXLGVi7DMgpZASEyQ0VMwICEc/j0:B4IHziK1piXLGVE4UrS0VJY

Score
10/10
blankgrabbercollectioncredential_accessdiscoveryevasionexecutionpersistencespywarestealerupx

Malware Config

Targets

    • Target

      spoofink.exe

    • Size

      8.4MB

    • MD5

      1489cbe726ac1c9450dc215f402c7095

    • SHA1

      978ccc8236f3ddc25b8508f72ff6eb0890a74206

    • SHA256

      871947f160ae8572a65796f206d46998cac353f17d4752436683099bc2688f42

    • SHA512

      9c84ba8e2884b71bcf83e5a85431cd6bc7300e79de7f8dda14ad8b70f29b227f6d1f3cde9f42c88685439c467dbbb552f75efca29280301267c798cf91287e9e

    • SSDEEP

      196608:NTcuYIHwfI9jUCzi4H1qSiXLGVi7DMgpZASEyQ0VMwICEc/j0:B4IHziK1piXLGVE4UrS0VJY

    Score
    10/10
    upxcollectioncredential_accessdiscoveryevasionexecutionpersistencespywarestealer

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets service image path in registry

      persistence

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3behavioral4

    • Target

      !f�>p��.pyc

    • Size

      1KB

    • MD5

      005483b325ed9a98058a7fefb29d4698

    • SHA1

      1603bc9cc7f24617308164c9e5bbb88d9f3547b6

    • SHA256

      1da3004f7fc8f4d2b793804686eddb48172def9330f2a7e87499b41a57d0a8c4

    • SHA512

      ac4718942e66a16f117edc71da79e66485d7e782a55a6d58c8e16eccc12a095c3a3928e861c04f414d1774599d03f083cf86544e8c61ab862952cf24f158a5b3

    Score
    1/10
    behavioral5behavioral6behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks