General

  • Target

    29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb

  • Size

    911KB

  • Sample

    241117-nl5gfsyhkk

  • MD5

    3dc6111263e1e236519080dbea81c1f1

  • SHA1

    1600ba53fdd878a0d93e7eaabec5b82558c8d6f2

  • SHA256

    29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb

  • SHA512

    051c1588a01320d03845f4cfe4bd03dbd2a5281ef80313929397fe11da6a7e43848102b6f527d19c924d2f757b6feefb2dc1253cc34c11cd2d9d16b024827de8

  • SSDEEP

    12288:AZRrXQ9TZweOjcQjabDu0zUmoKzHwIpwxyI1E4y0L4idflnXirA7PZxkR:QwOjdeut7Kslxy8fMrEa

Malware Config

Targets

    • Target

      29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb

    • Size

      911KB

    • MD5

      3dc6111263e1e236519080dbea81c1f1

    • SHA1

      1600ba53fdd878a0d93e7eaabec5b82558c8d6f2

    • SHA256

      29ce0132efcb5e1aad146065672d83b6b4ced076f1c91a851c8b34a30e7e08eb

    • SHA512

      051c1588a01320d03845f4cfe4bd03dbd2a5281ef80313929397fe11da6a7e43848102b6f527d19c924d2f757b6feefb2dc1253cc34c11cd2d9d16b024827de8

    • SSDEEP

      12288:AZRrXQ9TZweOjcQjabDu0zUmoKzHwIpwxyI1E4y0L4idflnXirA7PZxkR:QwOjdeut7Kslxy8fMrEa

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks