General

  • Target

    File.rar

  • Size

    7.8MB

  • Sample

    241116-2g4k9avgrc

  • MD5

    7ad698ff87653a5bbaf18a925b18e1f0

  • SHA1

    e44be1ebe5f5d18c9497c50142ad5aca34d4fc21

  • SHA256

    a5b5a16e70ba83f8895db7849ace8a9e8e1a8ea3ce4cc2d2cb3dd6aa187b0aec

  • SHA512

    3be20dd6004b4e7e0ddc3fc4d285b2add19ed18ba044f87849792c967f734972a84e9a0d3601debd8e8499641dfd575ef8913d095f1d67b8cef8ee0e4287e13f

  • SSDEEP

    196608:0vAjshv1Kzl0YO61zZZLUNXhlHHiRzC7w9BvR1ccaNhn65t0:JshoxhzfL+LHiRaSBpYh6H0

Malware Config

Targets

    • Target

      File/image.png.lnk

    • Size

      1024B

    • MD5

      2cdc3e1cb4c8e19851acbb30409d0dea

    • SHA1

      438767b56dd441be44746fb93e67d83922c33759

    • SHA256

      a91fc9eee942f457e045194afe71141c0eefd24cf9b13fec88fd7658ff5a6fe6

    • SHA512

      ea76fd145a22e7afa7df3df9f110f02a61bddaad50447486d8cb06475ee501c2eac7263a0c480f7bb155c438a87c9a153b90262cea26c130ce7d15adea035963

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      File/testing.png

    • Size

      7.9MB

    • MD5

      468d57a336819e4c6c198a21d61aecb4

    • SHA1

      2c8675173d3ca7986fdac391a549ce383372d951

    • SHA256

      7114e10265076cb82da6c0c103e10a6b300a0f960b253b04be74fca6fba79415

    • SHA512

      584355229b3246f1cb8e86c2e047682713567f3a74108ab24a667606adad46ae086f7452c37d0877d50f8678898c8a4b87e3a8a9e1f3f7868591d818137df0b9

    • SSDEEP

      196608:sZajcQ3QRVgUZe6c/PEq+j53sCQCkOVKkqHu1S:s4wQARRuPGe3CkO4eS

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks