General

  • Target

    lp

  • Size

    3KB

  • Sample

    241113-31cgjs1gmg

  • MD5

    1b898b551676aff0fecbc91f581cd479

  • SHA1

    1d37c5832827794115628e4aec1a817da65fe43b

  • SHA256

    d36ac2ba4e842fce623ab23c468502ea9a35da444e3e93491d5f1d614f8e6b51

  • SHA512

    94d2fc85fd4f27dc4caba234e2945c64816ce39a3ec733e777e22c3d3c0d1cc765b6d89e82c92771e0fc1013bbe828fa52d2e9877343f8549c9c3e23860ae245

Malware Config

Targets

    • Target

      lp

    • Size

      3KB

    • MD5

      1b898b551676aff0fecbc91f581cd479

    • SHA1

      1d37c5832827794115628e4aec1a817da65fe43b

    • SHA256

      d36ac2ba4e842fce623ab23c468502ea9a35da444e3e93491d5f1d614f8e6b51

    • SHA512

      94d2fc85fd4f27dc4caba234e2945c64816ce39a3ec733e777e22c3d3c0d1cc765b6d89e82c92771e0fc1013bbe828fa52d2e9877343f8549c9c3e23860ae245

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: =@L

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks