Resubmissions

12-12-2024 15:34

241212-szwtpaykhv 10

12-12-2024 15:12

241212-sk9f8sznfj 10

12-12-2024 03:03

241212-dj9y2sykfs 10

11-12-2024 08:54

241211-kt1axsznhq 10

08-12-2024 15:39

241208-s3rzxaspbk 10

General

  • Target

    Nuke Tool discord-gg-kasyno.exe

  • Size

    42.5MB

  • Sample

    241212-sk9f8sznfj

  • MD5

    51817b9dcd9c193c3358f6b179d268d1

  • SHA1

    48711e49dd33723c12a2ba925d228b99ab297274

  • SHA256

    eacbb5f16c8e1315bfa69d3bb0ce318cf246cff642bbde43e6263fd34e0c399b

  • SHA512

    6a5b1ac87137fe7ced1c902ee331d2eaf38a6d042b836190abd1a6a9f3826e1141c86ab64557992e7c388278f81f8abd04e60027e790cad8713c374f920f6957

  • SSDEEP

    786432:gDEDi+G9pN2TxKFLyPnoVIXkXVGRG7dcuZaqdior4XXpf6q3loaU/fsc+KkeAhev:ggDi+RoFLyPno/AydcucZfb3KnqKUhev

Malware Config

Targets

    • Target

      Nuke Tool discord-gg-kasyno.exe

    • Size

      42.5MB

    • MD5

      51817b9dcd9c193c3358f6b179d268d1

    • SHA1

      48711e49dd33723c12a2ba925d228b99ab297274

    • SHA256

      eacbb5f16c8e1315bfa69d3bb0ce318cf246cff642bbde43e6263fd34e0c399b

    • SHA512

      6a5b1ac87137fe7ced1c902ee331d2eaf38a6d042b836190abd1a6a9f3826e1141c86ab64557992e7c388278f81f8abd04e60027e790cad8713c374f920f6957

    • SSDEEP

      786432:gDEDi+G9pN2TxKFLyPnoVIXkXVGRG7dcuZaqdior4XXpf6q3loaU/fsc+KkeAhev:ggDi+RoFLyPno/AydcucZfb3KnqKUhev

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • A potential corporate email address has been identified in the URL: [email protected]

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks