Resubmissions

11-11-2024 13:48

241111-q3313aypg1 9

11-11-2024 13:37

241111-qw257azdlj 3

11-11-2024 13:36

241111-qwd4cstjdm 3

11-11-2024 13:16

241111-qhw21syncy 9

11-11-2024 13:13

241111-qf72haynbv 9

General

  • Target

    fafd551638daa4ab17ebdc71f2bffd8599332b1f1e95409af51870502cd65e38.zip

  • Size

    1.7MB

  • Sample

    241111-qhw21syncy

  • MD5

    4c139c0588e27cbb3d5ba6f7d7be2879

  • SHA1

    f84231e796f84946fd5d00f5cae95fc5f3c3f962

  • SHA256

    d3bcd07cac842a5f7a0c99f07454dea366024baf3cd85fba3c12830a2c580f0a

  • SHA512

    f1542b3700567f4e20c600785147b10c56f5fc9344b330576ca299e3d1062347927ff27ce4f0a7c50a92a9429e86c38d7c9456823984fd4c4f5720749719838f

  • SSDEEP

    49152:8uKokKfq7ORxpheX7v4CkZKgJEmu7zS0h+b0:DnW7ORx+z4nZKyEJ7by0

Malware Config

Targets

    • Target

      fafd551638daa4ab17ebdc71f2bffd8599332b1f1e95409af51870502cd65e38.exe

    • Size

      1.8MB

    • MD5

      c8bdae4b54ec9fb34babe5908c1273f1

    • SHA1

      53111c9f481f86109c4f045c7c65523d9f5906b0

    • SHA256

      fafd551638daa4ab17ebdc71f2bffd8599332b1f1e95409af51870502cd65e38

    • SHA512

      ab78acf0a806ad909c8c6e46d13e1428efa29eea35620e6a9a40f3b4e08333a6ae83671a39af96a14f0b71d2dd7f021b9354393fa0e4962d1c9b241a71814450

    • SSDEEP

      24576:Y7Y2nzJAFNcKtO5fE7T2rVP2DoKomRXvYU/S7VCiG3M02N7nVDJXgPGaoz7HkcKb:sYUzOHjSfE/+0RAhQ7j2RV1SGaAX1k

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: [email protected]

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Detected potential entity reuse from brand STEAM.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks