General

  • Target

    3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

  • Size

    169KB

  • Sample

    241029-x9rd6sxmdv

  • MD5

    fc505b7730fbbdead6d352aba01d6a18

  • SHA1

    aa28e00c57c2a9a8638c777bb90f1f1528d359bb

  • SHA256

    3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

  • SHA512

    7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d

  • SSDEEP

    3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe

Malware Config

Extracted

Family

nightingale

C2

https://api.telegram.org/bot6884699661:AAGPbkqESYn7iH7c6q7YuTlciwwO2tHQev0/sendDocument

Targets

    • Target

      3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

    • Size

      169KB

    • MD5

      fc505b7730fbbdead6d352aba01d6a18

    • SHA1

      aa28e00c57c2a9a8638c777bb90f1f1528d359bb

    • SHA256

      3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

    • SHA512

      7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d

    • SSDEEP

      3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe

    • Nightingale family

    • Nightingale stealer

      Nightingale stealer is an information stealer written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks