General

  • Target

    f7843fdac52708f4f0ffe8ee722e57669a1c7c5397f9a6462a45a3f6b35be0a6

  • Size

    1.4MB

  • Sample

    241210-agtbqs1pgm

  • MD5

    c8135e0ef43d1c82799063ac37f67862

  • SHA1

    df9853cc18ba6175d22243864ccc5a7a247c76c2

  • SHA256

    f7843fdac52708f4f0ffe8ee722e57669a1c7c5397f9a6462a45a3f6b35be0a6

  • SHA512

    d863750e5183961c203973bb59604f67275b6f9dde45221a55a676d4d2e3e56d846ce1f8a250679c6209f3b154c36ec67412739f407ce25984155711369a71ca

  • SSDEEP

    24576:g38KJ/B1FBgDXZNFfZoWe0KVIC9ClKa5IrykTHhQ5NoRyftZZriXWzr6pfKuI/rr:xKL1rgXteP3Vz9oI2mhoNosVDP+fXK

Malware Config

Targets

    • Target

      f7843fdac52708f4f0ffe8ee722e57669a1c7c5397f9a6462a45a3f6b35be0a6

    • Size

      1.4MB

    • MD5

      c8135e0ef43d1c82799063ac37f67862

    • SHA1

      df9853cc18ba6175d22243864ccc5a7a247c76c2

    • SHA256

      f7843fdac52708f4f0ffe8ee722e57669a1c7c5397f9a6462a45a3f6b35be0a6

    • SHA512

      d863750e5183961c203973bb59604f67275b6f9dde45221a55a676d4d2e3e56d846ce1f8a250679c6209f3b154c36ec67412739f407ce25984155711369a71ca

    • SSDEEP

      24576:g38KJ/B1FBgDXZNFfZoWe0KVIC9ClKa5IrykTHhQ5NoRyftZZriXWzr6pfKuI/rr:xKL1rgXteP3Vz9oI2mhoNosVDP+fXK

    • Floxif family

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Detects Floxif payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Event Triggered Execution: Image File Execution Options Injection

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.