General
-
Target
Bootstrapper_V3.127.exe
-
Size
61KB
-
Sample
241113-yrkpcaydrl
-
MD5
b458115052e651c31a5b09011f2802c5
-
SHA1
8ca6e2cd7108f5c04591f84d0a6d60762a069087
-
SHA256
4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb
-
SHA512
cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884
-
SSDEEP
768:Lx9PeIBbVaiY5yebNx27Qh6s1wn1b+ObiMBnwXuYVZoAtRlfRw3txfGp0zLiG:L/P7BbVaiY5yepCsCgXJVZrtQtxk0yG
Static task
static1
Malware Config
Targets
-
-
Target
Bootstrapper_V3.127.exe
-
Size
61KB
-
MD5
b458115052e651c31a5b09011f2802c5
-
SHA1
8ca6e2cd7108f5c04591f84d0a6d60762a069087
-
SHA256
4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb
-
SHA512
cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884
-
SSDEEP
768:Lx9PeIBbVaiY5yebNx27Qh6s1wn1b+ObiMBnwXuYVZoAtRlfRw3txfGp0zLiG:L/P7BbVaiY5yepCsCgXJVZrtQtxk0yG
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2