10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb | Triage

Sharing

General

Target

10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
Size

32KB
Sample

241122-cjst4askay
MD5

35dfb522fddada4616e915fb17888e31
SHA1

8fbbfe83e8f5faa59037fbbf4fd97bc2c78f95e6
SHA256

10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb
SHA512

9e35fa005d0e1756bcf45b43db52c7be1ff584f8cdbf4349c06d6cabdff03acd1ea32c2e3cfc72cbd28b7d41853b2e7c44784b5d1e585b7fae2dc480e60305a5
SSDEEP

384:UuGq+dSBNrJ0AKr6CLNOPKQdKJGE9v62FTJsN/6SdRfIeq2sOGLtY6:mq+dSBNdBKrhLNJL8E9rTJsNCSE3w96

Score

10^/10

execution persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip

Targets

- Target
  
  10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb.bat
- Size
  
  32KB
- MD5
  
  35dfb522fddada4616e915fb17888e31
- SHA1
  
  8fbbfe83e8f5faa59037fbbf4fd97bc2c78f95e6
- SHA256
  
  10f2af74b935ffc5664a6a9bf0d141f30777e4211ef4d75ad65c6db77554cbfb
- SHA512
  
  9e35fa005d0e1756bcf45b43db52c7be1ff584f8cdbf4349c06d6cabdff03acd1ea32c2e3cfc72cbd28b7d41853b2e7c44784b5d1e585b7fae2dc480e60305a5
- SSDEEP
  
  384:UuGq+dSBNrJ0AKr6CLNOPKQdKJGE9v62FTJsN/6SdRfIeq2sOGLtY6:mq+dSBNdBKrhLNJL8E9rTJsNCSE3w96
Score

10^/10

execution persistence spyware stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

executionpersistencespywarestealer