General

  • Target

    ahost.exe

  • Size

    7.6MB

  • Sample

    241213-h4y5hatnbl

  • MD5

    b5fc1d627d4db7ee46dc0fe38ac28d01

  • SHA1

    35e2fa322989afa985734caa7c663510de21a2cc

  • SHA256

    0f145a4d00566964b14e9b825779fd1aae1ea308a36e9d3536534779e19d64a1

  • SHA512

    9f81b20c9d6e6652a4dde5d17722aa24e54c971e18bd80f3dd19b55427a3b8a9bc39444549ea98c39a571cd81049d37c54113a325f5c04daa1409ff0e8297610

  • SSDEEP

    196608:BHHYHRwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jN:SOIHziK1piXLGVE4Ue0VJJ

Malware Config

Targets

    • Target

      ahost.exe

    • Size

      7.6MB

    • MD5

      b5fc1d627d4db7ee46dc0fe38ac28d01

    • SHA1

      35e2fa322989afa985734caa7c663510de21a2cc

    • SHA256

      0f145a4d00566964b14e9b825779fd1aae1ea308a36e9d3536534779e19d64a1

    • SHA512

      9f81b20c9d6e6652a4dde5d17722aa24e54c971e18bd80f3dd19b55427a3b8a9bc39444549ea98c39a571cd81049d37c54113a325f5c04daa1409ff0e8297610

    • SSDEEP

      196608:BHHYHRwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jN:SOIHziK1piXLGVE4Ue0VJJ

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Enumerates processes with tasklist

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks