General

  • Target

    https://www.googleadservices.com/pagead/aclk?nis=4&sa=L&ai=CS2UGlvs1Z_3XFuqA_NUP0JDCwQ23r7GYe96uytOBE_rRreqTDhABIKPW8zFg_YKAgLARoAGTwr-QPsgBAqgDAcgDyQSqBMECT9ATlQ83WrGN_3zbwubUm4-dcfLruIMMM0XXVjgxd4vPC-F1bTRhlVlFCCLdD-1PXpDaXl0HjcDWxS7Jf4_-qUu71dpLfzP-IXqM4VGICxPoB739VwP9TvTT8fVvho0QQPmYlA4YVcX8tEXOkaQwwMhCa5wQuEY-12pCdb8SfNel23n3PfY8ZiU8HYb6NU7w25StUfd6AmWpjupg0zJDwNW7fPsIhKwbQ58euDPmrBuVCzuvX9RdKXiMynynhS4a5B4xfVbmcKeLk7_4VN7jLgm98Q44oruxGH9_Z6MDSX2bKkFUHq1na62oANx9Ujt5p5b7IFoL_ThvPc_21SQhxFpxa1Lgxt4LzdV1qOhV_Qir3767AsISialSbiYIbRVAbX5Y6UFtz8HmgaQ_ALT9yGEt0qwTnbAVEQ0Y7ctKuURzwASYs5f_-QSIBdGnibtRoAYCgAeT-o_wGKgH1ckbqAfZtrECqAemvhuoB47OG6gHk9gbqAfw4BuoB-6WsQKoB_6esQKoB6--sQKoB5oGqAfz0RuoB5bYG6gHqpuxAqgHg62xAqgH4L2xAqgH_56xAqgH35-xAqgHyqmxAqgH66WxAqgH6rGxAqgHmbWxAqgHvrexAqgH-MKxAqgH-8KxAtgHAdIILAiAgYAQEAEYHjIBIjoQn9CDgICABIDAhICAtKiAAki9_cE6WMe_rLH324kDsQlGTSHSlaKOuYAKAZgLAcgLAdoMEAoKEICau6L68cGRWhICAQOqDQJJVMgNAdgTDdAVAfgWAYAXAbIXAhgBuhcCOAGyGAkSArBTGAIiAQDQGAHoGAE&ae=1&ase=2&gclid=EAIaIQobChMI_fqssffbiQMVagC_BB1QiDDYEAEYASAAEgJv9PD_BwE&num=1&cid=CAQSOwCa7L7d0YsTBafKy0An0KbVCANdErUyvlb26ktTTVq10vkwYtHTw9dQ2iHrBFNvq7p8WrxzhHiA4jDDGAE&sig=AOD64_0oLm3rRf8zdkYkcsAvZwXopGQSgA&client=ca-pub-4894759983606832&rf=2&nb=2&adurl=https://pcappstore.com/%3Fap%3Dadwp%26as%3Dg_d_all_es_it_jp_in%26dm%5Btype%5D%3Ddis%26gad_source%3D5%26gclid%3DEAIaIQobChMI_fqssffbiQMVagC_BB1QiDDYEAEYASAAEgJv9PD_BwE

  • Sample

    241114-qsh8xayrav

Malware Config

Targets

    • Target

      https://www.googleadservices.com/pagead/aclk?nis=4&sa=L&ai=CS2UGlvs1Z_3XFuqA_NUP0JDCwQ23r7GYe96uytOBE_rRreqTDhABIKPW8zFg_YKAgLARoAGTwr-QPsgBAqgDAcgDyQSqBMECT9ATlQ83WrGN_3zbwubUm4-dcfLruIMMM0XXVjgxd4vPC-F1bTRhlVlFCCLdD-1PXpDaXl0HjcDWxS7Jf4_-qUu71dpLfzP-IXqM4VGICxPoB739VwP9TvTT8fVvho0QQPmYlA4YVcX8tEXOkaQwwMhCa5wQuEY-12pCdb8SfNel23n3PfY8ZiU8HYb6NU7w25StUfd6AmWpjupg0zJDwNW7fPsIhKwbQ58euDPmrBuVCzuvX9RdKXiMynynhS4a5B4xfVbmcKeLk7_4VN7jLgm98Q44oruxGH9_Z6MDSX2bKkFUHq1na62oANx9Ujt5p5b7IFoL_ThvPc_21SQhxFpxa1Lgxt4LzdV1qOhV_Qir3767AsISialSbiYIbRVAbX5Y6UFtz8HmgaQ_ALT9yGEt0qwTnbAVEQ0Y7ctKuURzwASYs5f_-QSIBdGnibtRoAYCgAeT-o_wGKgH1ckbqAfZtrECqAemvhuoB47OG6gHk9gbqAfw4BuoB-6WsQKoB_6esQKoB6--sQKoB5oGqAfz0RuoB5bYG6gHqpuxAqgHg62xAqgH4L2xAqgH_56xAqgH35-xAqgHyqmxAqgH66WxAqgH6rGxAqgHmbWxAqgHvrexAqgH-MKxAqgH-8KxAtgHAdIILAiAgYAQEAEYHjIBIjoQn9CDgICABIDAhICAtKiAAki9_cE6WMe_rLH324kDsQlGTSHSlaKOuYAKAZgLAcgLAdoMEAoKEICau6L68cGRWhICAQOqDQJJVMgNAdgTDdAVAfgWAYAXAbIXAhgBuhcCOAGyGAkSArBTGAIiAQDQGAHoGAE&ae=1&ase=2&gclid=EAIaIQobChMI_fqssffbiQMVagC_BB1QiDDYEAEYASAAEgJv9PD_BwE&num=1&cid=CAQSOwCa7L7d0YsTBafKy0An0KbVCANdErUyvlb26ktTTVq10vkwYtHTw9dQ2iHrBFNvq7p8WrxzhHiA4jDDGAE&sig=AOD64_0oLm3rRf8zdkYkcsAvZwXopGQSgA&client=ca-pub-4894759983606832&rf=2&nb=2&adurl=https://pcappstore.com/%3Fap%3Dadwp%26as%3Dg_d_all_es_it_jp_in%26dm%5Btype%5D%3Ddis%26gad_source%3D5%26gclid%3DEAIaIQobChMI_fqssffbiQMVagC_BB1QiDDYEAEYASAAEgJv9PD_BwE

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks