General

  • Target

    Spf.zip

  • Size

    20.2MB

  • Sample

    241102-saqw5sxcnd

  • MD5

    653d4f45cd6e2f22d8061abcb3e4f2b2

  • SHA1

    adc9bd9ce938c334b10c11b5cbe8f581295b29cb

  • SHA256

    3b9f7b7dc3c08364bf50b309610d919e4ffbf48c28a99749fa2463ef68437c66

  • SHA512

    c4c5fb85b6098403e40e3c1b6e710ec3a60d6874d71cf95cbad97c9e31db03e5d9d2109b3a3a4c80784bb4ececdcb6e94e877c03517dcc34f42abe784ad5252e

  • SSDEEP

    393216:zP8iKeu0N+Fg4no0HyONwMEm3+KevRAwoC70mQgf6ewrZsEn8ey6xGSx:IiY0YxE6w23+Kt57PebEx

Malware Config

Targets

    • Target

      LKV1.5.exe

    • Size

      5.8MB

    • MD5

      5199a1f8f1960efaaff58651f2596d8e

    • SHA1

      346a2616606a7227db838db0869e16edf334864b

    • SHA256

      703d0b9160ba1f4b5ffd1fd7a73c1c2aeaa90198ed66b967b8352b37cbe876a0

    • SHA512

      a777c2312b576366c9ae342bdb0204ea5bc0947a0e9d64eed93f158c962c68fc7ddd6da823e6399e79ae958c02e637ca045b906beec9eea77f2b09adc2f47b8f

    • SSDEEP

      98304:qx4R9dM/FjxlUKKko2DYuDibBs+vW/BMYZHwXdQqpJID6Tgipfsc2Lqljdd0sbvO:+l/3mKEu2bBsXBMYZHMbIKgipfscRljs

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Target

      plugin/plugin.exe

    • Size

      8.5MB

    • MD5

      f8ad11d7dd55179a16f8432d8065c7c7

    • SHA1

      75866cdc9fd9c3b9cb5ee679875ec3557132080c

    • SHA256

      a5b556d66b9973affb4f3b0bce00650e96eab80330cf6db43fdabd54080ff3ab

    • SHA512

      5f16b30aff85f2f8c6d7db477dbfd00044685804842e569bab2866b55a947889dc7fb583d2158e3c867f7cd18263a97f860f86dd7848f6e9a35503598472b6e4

    • SSDEEP

      196608:pkaiyat1U5PB5lkrVBwX+9BLsSbHFqwb1ERgld7fL+N5:pkPyae1krzwX+91s+XEyc5

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • Target

      plugin/sdp.exe

    • Size

      6.2MB

    • MD5

      b51abb96b619dd8aba5002aa4f871707

    • SHA1

      d9416cdc4be762d184775ddb660cbe1484f357fa

    • SHA256

      536322560f701bf09fe9ff223128e52c5d00f940c14f075b5a8ad0c10a8c1122

    • SHA512

      d2e752eba414afe6f39c1d46d5d3b75b38438c7334c2b9c28a7bbd9cec9021a082f690bd982c9b876f0b8cd1baa2b7f89010de8e96196bef5176c9aae627630f

    • SSDEEP

      196608:CGjpC5GZP6RzTY5fNh+FOnc3hwXUlWPxc/O:CYC+6axnGT3MoSxcm

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks