49e17ce8b1df637a71dfac483e9fef72f6747e4235cce3871a1bb3f3a1371127 | Triage

Sharing

General

Target

WinSCP-6.3.5-Setup.exe
Size

11.1MB
Sample

241119-1pt64starb
MD5

d77322dc956da781905d553e3feb9153
SHA1

89db51587ecfb071fe71add71050e2d9e5377539
SHA256

49e17ce8b1df637a71dfac483e9fef72f6747e4235cce3871a1bb3f3a1371127
SHA512

af2ec6d994f8e4fcf912cfa122136a2262991fccc46b6dc98963f83e1f8170010b3c03076b134e81b4bdb54a1d1353cfa1328afc4c206c97113929e71ef437d4
SSDEEP

196608:07YbPaZbS+UseezGoXBWC6KtWrFhxC7a2RfhFMdccHCxJG++ZztkrRJHpMt4eQ:tL+bpUsR/tWrzxCO21occifG+KtcNr

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Targets

- Target
  
  WinSCP-6.3.5-Setup.exe
- Size
  
  11.1MB
- MD5
  
  d77322dc956da781905d553e3feb9153
- SHA1
  
  89db51587ecfb071fe71add71050e2d9e5377539
- SHA256
  
  49e17ce8b1df637a71dfac483e9fef72f6747e4235cce3871a1bb3f3a1371127
- SHA512
  
  af2ec6d994f8e4fcf912cfa122136a2262991fccc46b6dc98963f83e1f8170010b3c03076b134e81b4bdb54a1d1353cfa1328afc4c206c97113929e71ef437d4
- SSDEEP
  
  196608:07YbPaZbS+UseezGoXBWC6KtWrFhxC7a2RfhFMdccHCxJG++ZztkrRJHpMt4eQ:tL+bpUsR/tWrzxCO21occifG+KtcNr
Score

7^/10

discovery persistence privilege_escalation spyware stealer
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Credential Access

Unsecured Credentials

Credentials in Registry

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalationspywarestealer

behavioral2

discoverypersistenceprivilege_escalationspywarestealer