General

  • Target

    Bootstrapper_V3.127.exe

  • Size

    61KB

  • Sample

    241113-yrkpcaydrl

  • MD5

    b458115052e651c31a5b09011f2802c5

  • SHA1

    8ca6e2cd7108f5c04591f84d0a6d60762a069087

  • SHA256

    4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb

  • SHA512

    cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884

  • SSDEEP

    768:Lx9PeIBbVaiY5yebNx27Qh6s1wn1b+ObiMBnwXuYVZoAtRlfRw3txfGp0zLiG:L/P7BbVaiY5yepCsCgXJVZrtQtxk0yG

Malware Config

Targets

    • Target

      Bootstrapper_V3.127.exe

    • Size

      61KB

    • MD5

      b458115052e651c31a5b09011f2802c5

    • SHA1

      8ca6e2cd7108f5c04591f84d0a6d60762a069087

    • SHA256

      4ccfe9678dc5023c6b39450db5e323e6598d92051974a39e3dceb4dcef1fa2fb

    • SHA512

      cd0f8826fc2c1f538ef50d587af6ad85780bbcccb30a74333381dd416cab0b1b7610b251298dac2af27923dda9963c68509ddc3b7bc009047453a1958beec884

    • SSDEEP

      768:Lx9PeIBbVaiY5yebNx27Qh6s1wn1b+ObiMBnwXuYVZoAtRlfRw3txfGp0zLiG:L/P7BbVaiY5yepCsCgXJVZrtQtxk0yG

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks