General

  • Target

    c96a43db0abf02b0db8ca6efc658dc38.exe

  • Size

    1.1MB

  • Sample

    241107-3tey4azhnm

  • MD5

    c96a43db0abf02b0db8ca6efc658dc38

  • SHA1

    a7c1b56d517d66e054e17c6cbd54bb3f1eafab8d

  • SHA256

    e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172

  • SHA512

    6a607ee81d5fa7837643402c9c1d657dea5f0e819b64731f92bf72383d416d6e219520f15e8fb6fd5531fb0b7a1464b80ec30f9699b4304863b276cc2831ff8a

  • SSDEEP

    24576:BrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaT+DCfkPY:B2EYTb8atv1orq+pEiSDTj1VyvBaTJkQ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://my.cloudme.com/v1/ws2/:slight-stood/:web/web.txt

Targets

    • Target

      c96a43db0abf02b0db8ca6efc658dc38.exe

    • Size

      1.1MB

    • MD5

      c96a43db0abf02b0db8ca6efc658dc38

    • SHA1

      a7c1b56d517d66e054e17c6cbd54bb3f1eafab8d

    • SHA256

      e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172

    • SHA512

      6a607ee81d5fa7837643402c9c1d657dea5f0e819b64731f92bf72383d416d6e219520f15e8fb6fd5531fb0b7a1464b80ec30f9699b4304863b276cc2831ff8a

    • SSDEEP

      24576:BrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaT+DCfkPY:B2EYTb8atv1orq+pEiSDTj1VyvBaTJkQ

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks