53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446 | Triage

Sharing

General

Target

53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
Size

32KB
Sample

241122-cxc1ssylem
MD5

07fda94f9503d182add2888e54973080
SHA1

d26a59c6dc0dbbb11234f25c0aca89249a4667e3
SHA256

53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446
SHA512

6ae2024925bdae757e218d81bb5a997968c3b577549005a4e734a4b2f8b54a51a9df1642f8f98e4261488bd064dbe3b879e06cc64592c09d8bf78a3fc76890b7
SSDEEP

768:cWL/KYF7Izmkd5F2QVl5xpOI4qGcHet97v/EHY92Xw++leE+f:GJ2eaCd

Score

10^/10

execution persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.dropbox.com/scl/fi/qukhm5nxh9vj4yeib9imn/20_Advertising_Campaign_and_Collaboration.docx?rlkey=wbac1g8wzi5e49dnttqx9sv3h&st=g4q7mwtc&dl=1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://gitlab.com/bosechang/mkt/-/raw/main/20Fukrun.zip

Targets

- Target
  
  53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446.bat
- Size
  
  32KB
- MD5
  
  07fda94f9503d182add2888e54973080
- SHA1
  
  d26a59c6dc0dbbb11234f25c0aca89249a4667e3
- SHA256
  
  53eee95df04e2db4b9582c284db560c4fd98d0702a56054b45536e158f7f7446
- SHA512
  
  6ae2024925bdae757e218d81bb5a997968c3b577549005a4e734a4b2f8b54a51a9df1642f8f98e4261488bd064dbe3b879e06cc64592c09d8bf78a3fc76890b7
- SSDEEP
  
  768:cWL/KYF7Izmkd5F2QVl5xpOI4qGcHet97v/EHY92Xw++leE+f:GJ2eaCd
Score

10^/10

execution persistence spyware stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

executionpersistencespywarestealer