General

  • Target

    ce0225610cb2f114c23155f1e4fdfac0d86af169c278266bd8a1c922f411ba9b

  • Size

    641KB

  • Sample

    241116-tbsykasrck

  • MD5

    f8d2a5cc9aa842b7702ad66f680cd0a7

  • SHA1

    218791261aff510ef3b52322cec6952d64df854a

  • SHA256

    ce0225610cb2f114c23155f1e4fdfac0d86af169c278266bd8a1c922f411ba9b

  • SHA512

    9f4627ba37294d068f75fcd8f62fc84cf0555c25d89d9844c4167fb4ff7916187eb013ca91f922027e3baa5aedef7ab24b20e3f00a2b567d069b2f46f57fcd04

  • SSDEEP

    12288:BnMDf/wGl01UvH1MKM9rHQ6OE1H9amr5xiPueC+LC6y:mDf41w1tM9rHQ6/Hvr5kPueC+2r

Malware Config

Targets

    • Target

      ce0225610cb2f114c23155f1e4fdfac0d86af169c278266bd8a1c922f411ba9b

    • Size

      641KB

    • MD5

      f8d2a5cc9aa842b7702ad66f680cd0a7

    • SHA1

      218791261aff510ef3b52322cec6952d64df854a

    • SHA256

      ce0225610cb2f114c23155f1e4fdfac0d86af169c278266bd8a1c922f411ba9b

    • SHA512

      9f4627ba37294d068f75fcd8f62fc84cf0555c25d89d9844c4167fb4ff7916187eb013ca91f922027e3baa5aedef7ab24b20e3f00a2b567d069b2f46f57fcd04

    • SSDEEP

      12288:BnMDf/wGl01UvH1MKM9rHQ6OE1H9amr5xiPueC+LC6y:mDf41w1tM9rHQ6/Hvr5kPueC+2r

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook profiles

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks