General

  • Target

    Blank grabber.exe

  • Size

    7.8MB

  • Sample

    241212-b8spys1jak

  • MD5

    b7a8afaf2f9015816da8bf2b16e34353

  • SHA1

    372aaa07e086c1b02d008a1180101ba7e8850a05

  • SHA256

    504c0250247b992134cc818d623a825ec4ae855a02b51875ca80d022a6626f07

  • SHA512

    b0359bee453c62816136e6f76631b599ed2c28a7469a27fd13a1dc18c09247abf7040d42b34fb53c9633de52bc4782b940b81c1f84501bb5f1ad3fbf737d45f9

  • SSDEEP

    196608:QqD+kdjwfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeWP:z5mIHL7HmBYXrYSaUNh

Malware Config

Targets

    • Target

      Blank grabber.exe

    • Size

      7.8MB

    • MD5

      b7a8afaf2f9015816da8bf2b16e34353

    • SHA1

      372aaa07e086c1b02d008a1180101ba7e8850a05

    • SHA256

      504c0250247b992134cc818d623a825ec4ae855a02b51875ca80d022a6626f07

    • SHA512

      b0359bee453c62816136e6f76631b599ed2c28a7469a27fd13a1dc18c09247abf7040d42b34fb53c9633de52bc4782b940b81c1f84501bb5f1ad3fbf737d45f9

    • SSDEEP

      196608:QqD+kdjwfI9jUCBB7m+mKOY7rXrZusoSDmhfvsbnTNeWP:z5mIHL7HmBYXrYSaUNh

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks