General

  • Target

    fatality.exe

  • Size

    3.1MB

  • Sample

    241021-jac6lsvdja

  • MD5

    a8f3e7de9218723b8abd30ce1422f139

  • SHA1

    d05e6763bd194951d812ce32e486c9bd7ca90fcc

  • SHA256

    fc711b6ee8babc14fb7a695bc94caa9df90deb4c7660bfeb99453251b674cf99

  • SHA512

    9f293d93d606bed405974d1e86bec7a7a0239d17c27cf2840bf843b15cc6b03847cb76afbbd2b75e73ae24b81f9c2ec85161f062de3626573862bcdbfa50b62a

  • SSDEEP

    49152:6Y+v/99OpKX1+2DAA1C8XAUO1aiENd7yIHY6CwCH8wzrtUGAzuV:6YSHy0o2D9AUO1avNRyIHY6Uc6rtX

Malware Config

Targets

    • Target

      fatality.exe

    • Size

      3.1MB

    • MD5

      a8f3e7de9218723b8abd30ce1422f139

    • SHA1

      d05e6763bd194951d812ce32e486c9bd7ca90fcc

    • SHA256

      fc711b6ee8babc14fb7a695bc94caa9df90deb4c7660bfeb99453251b674cf99

    • SHA512

      9f293d93d606bed405974d1e86bec7a7a0239d17c27cf2840bf843b15cc6b03847cb76afbbd2b75e73ae24b81f9c2ec85161f062de3626573862bcdbfa50b62a

    • SSDEEP

      49152:6Y+v/99OpKX1+2DAA1C8XAUO1aiENd7yIHY6CwCH8wzrtUGAzuV:6YSHy0o2D9AUO1avNRyIHY6Uc6rtX

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks