General

  • Target

    Pvt Hooks.rar

  • Size

    7.3MB

  • Sample

    241130-gw1gxs1kdr

  • MD5

    f2f2bc99451966cbe5d3eac82d04c192

  • SHA1

    91ecfd21be0f9df10ace16606a8e83063d20aece

  • SHA256

    899517a9868cd13a0598c60129bc8050a0d5afc6259c9108a59c8a7f26a1e2ed

  • SHA512

    39dfd96ceb1fb11745ed51b6ee0085a4dd94a563490e5ee4b313838615c373de282b75247eefcfaf1d514d5bcf3336783832046e216ed8adf69cfadde4bb63a5

  • SSDEEP

    196608:EXHOAPIky5foxxnbmG5B5oMzdt5CmfdTyb/XE:EXOAxJ3nCqhzZfd+r0

Malware Config

Targets

    • Target

      Pvt Hooks.rar

    • Size

      7.3MB

    • MD5

      f2f2bc99451966cbe5d3eac82d04c192

    • SHA1

      91ecfd21be0f9df10ace16606a8e83063d20aece

    • SHA256

      899517a9868cd13a0598c60129bc8050a0d5afc6259c9108a59c8a7f26a1e2ed

    • SHA512

      39dfd96ceb1fb11745ed51b6ee0085a4dd94a563490e5ee4b313838615c373de282b75247eefcfaf1d514d5bcf3336783832046e216ed8adf69cfadde4bb63a5

    • SSDEEP

      196608:EXHOAPIky5foxxnbmG5B5oMzdt5CmfdTyb/XE:EXOAxJ3nCqhzZfd+r0

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      Pvt Hooks/Read.txt

    • Size

      122B

    • MD5

      93005aeb91e3828c182a2163048c446d

    • SHA1

      37f8dbb807b2658ac34f4c1404c9296fd9e9cd85

    • SHA256

      76abdc837b9cbfdb26611f7418df14870d16233b343dd3a6a50015d87bc8c7fc

    • SHA512

      93f1c8e35112df22c0bf54d07fe07275ecb96a838741723e8749f8b2cf6bca65561c04546e5706b0d193744714e19e33f008bab052bcc75be8a733e06fb8ff4b

    Score
    1/10
    • Target

      Pvt Hooks/ascendhookopus.dll

    • Size

      4.8MB

    • MD5

      8649ae5a732bc808f228677b27a1e9b6

    • SHA1

      95775c451ed9604d9753465d8cc4d52ca1cb58a4

    • SHA256

      b39781589c4403fb82174c9647a010464cff38bad976547d339899b00053a545

    • SHA512

      9b6e678f35f776c7a14b35998c4a5682c26de1cc59347c55f3744d216a9ba038d077317fe5a80d6de1903f9788f7ab58c04535213b43777b0003b857800d4525

    • SSDEEP

      3::

    Score
    1/10
    • Target

      Pvt Hooks/injector.exe

    • Size

      7.5MB

    • MD5

      5ac349d31df2f8659f3cbafb6c364d63

    • SHA1

      6b897500c22044917fae28b0bfacdf06fb2c9a81

    • SHA256

      38fe07cf164f35010e97497f66a0435b77b625e69a4c211c8c3b111c4afedf5a

    • SHA512

      dea18006743d2e2abfd647f43d24e263aa3725eed1e61b53610fa4f85b7882aced03122dfb7c002e78930772a264befe03568404b62ca50cf290f4734bcf7bb2

    • SSDEEP

      196608:eNxHcLjv+bhqNVoBLD7fEXEoYbiIv9pvvk9fIiZ1ju:GsL+9qz8LD7fEUbiIqQgpu

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      .pyc

    • Size

      1KB

    • MD5

      704b08b03b3634ccc8dfd4f9113ac694

    • SHA1

      6d73ae488e664ad5210340bbaf2c298158d6572c

    • SHA256

      ef1a4d73b6b2c916f973e751da330a9ce4171a06dc55eec2eedfb8a2b11308af

    • SHA512

      940c3431dd929cbb7d43532851ffb07f109964102385aae485e7897f8cc22b55e0420558f7ba53214fa1927e5cb34d1a0a1c9991164f62bfbf5fc812c2fc650e

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks