General
-
Target
Howlis executor.zip
-
Size
9.5MB
-
Sample
241216-z5jjwa1mfr
-
MD5
8065ee8f8c5ea3b3323ae807890429d4
-
SHA1
cb0f5cf2519c95530b155dc56a9a3d58386c3c8e
-
SHA256
e11811db10afadc6d917402d841b750dc66b91649657a5020adc81cd5d84a72c
-
SHA512
50cb20bc46f43b3e8ef8aea87fbce1aab84645446ed2e534a9db0e94304fdecaa1ac80edc8429c7073ef496dac9b9061fecee513bfa77db4f62f27643aebb7f1
-
SSDEEP
196608:9PyjcoEEVJWA8Rin6PgDRTF6wLhePLKDUS7bl3IdOnoUq+:9Py9WY6UXQe33OdO
Malware Config
Targets
-
-
Target
Howlis executor.zip
-
Size
9.5MB
-
MD5
8065ee8f8c5ea3b3323ae807890429d4
-
SHA1
cb0f5cf2519c95530b155dc56a9a3d58386c3c8e
-
SHA256
e11811db10afadc6d917402d841b750dc66b91649657a5020adc81cd5d84a72c
-
SHA512
50cb20bc46f43b3e8ef8aea87fbce1aab84645446ed2e534a9db0e94304fdecaa1ac80edc8429c7073ef496dac9b9061fecee513bfa77db4f62f27643aebb7f1
-
SSDEEP
196608:9PyjcoEEVJWA8Rin6PgDRTF6wLhePLKDUS7bl3IdOnoUq+:9Py9WY6UXQe33OdO
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
ForlornApi.dll
-
Size
13KB
-
MD5
7392cca8d4501d4f7427a85b8b654f32
-
SHA1
baa253b7a7f1aed7633f248ad137f881a91c70c7
-
SHA256
8b6cd9ef4de8010c3b849e18a3fc009f42bcd350bdf575287f1f237d68b3d394
-
SHA512
1716c68561f6ad490498c75cecb910372b26a600d7e81c033442b46beb688e2ed163c0b6cb993408f2ddfd37bc20de2b5afe61e3976c365f7c149204ff84d2fd
-
SSDEEP
192:vT8pAUmIXruvxa8LhYWoii0PxKo1uELE3aEf++eNJL+2kanWJQvtVq+N9:r8xlXeph7oVOD1uEHNNZDtVN9
Score1/10 -
-
-
Target
Howlis executor.exe
-
Size
8.0MB
-
MD5
f1ca5255649ddad16f45692c7008f5ee
-
SHA1
5c01084da7bca0482b46095ca52d59b610225ce2
-
SHA256
1a4205f6c5a0bbae1d88ee3cc83b6be6c96c35c129b5c6f1792e176c503be723
-
SHA512
07571d2496fb412ed6aa1540c6bd7a80d6f18e7e17e6b86509fd4b25d566c2761dc9264031385f1be8799431effa2575384ab7dcc0bb02e8f5810a1081a07f00
-
SSDEEP
196608:i7umWsWOjmFwDRxtYSHdK3Hkdai7bN3mZbymVW:LshK2pMEB3QZG
Score8/10-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
��+�*ʼn.pyc
-
Size
857B
-
MD5
9b66449dfbdcee3bd6031470c50b182e
-
SHA1
a010862d7827281dcefbc14879328e7c25a7f111
-
SHA256
2b5f700cbe660be30275f1d9f2a3c7ccabeb973b1ed48150f5f83e9787498f6d
-
SHA512
ea12b944e65c24d5e276092acde6164452cea2d9308acf877b595165587d47231350d8df7a894c384c56623f9a811f8432261f93efa64695d336aa209d0ae647
Score1/10 -
-
-
Target
bin/Xeno.dll
-
Size
966KB
-
MD5
ec9869d9931e7b80c907d0a05d03f071
-
SHA1
9102ef75bd50fb9d8be8b2f07a977c3d23fc82a0
-
SHA256
70ef43c6ede2e80212c363058da59236602c69ff94c8a4baff297d5134e95be2
-
SHA512
ee231c55fba5f8da4a104024ca27a69e0b37f73709bf2b7ad8375fecb34cd4c3f0fb8ad2c04ef92a777ea2a48fa6afd0078f55930d95c17b9a7cc14c3ade4906
-
SSDEEP
12288:HyFglykm6F+W80X4WOOzLoiNu5c+knlomlT9/xeYP5KT4KkIpSM01n:SN6oN0X+S5u5cvnlTL58T4KkH
Score7/10-
A potential corporate email address has been identified in the URL: [email protected]
-
-
-
Target
bin/libcrypto-3-x64.dll
-
Size
4.5MB
-
MD5
be0f6d1d60e149cedaca33a04963e05f
-
SHA1
b686e1ed9ae47b8ae803a5d9e912b0e631bc4217
-
SHA256
81a5fe6cd0ef5b083e5c4bdb6a40a30bfb1b0de15a9dfad459de2d6a36d94f86
-
SHA512
7b39dd8c70286ec4fe61cb2c3c12062f2dcbdda607c2f14c4f983741026f6aa62b60f9e983204949395cc54b5ebf6426c0f8300e0e385c35c1f2f3847160d7ff
-
SSDEEP
98304:5l+f+Kv6t8y37re39P6k1CPwDvt3uFGCC:/Cyt8yLre39yk1CPwDvt3uFGCC
Score1/10 -
-
-
Target
bin/libssl-3-x64.dll
-
Size
802KB
-
MD5
733e3b58ee1760a442fec4712848c3ad
-
SHA1
529206caad19cce2424323bc29a9fb9a4bbd3e76
-
SHA256
159198cb8e740f9ad5918b51503121fd1b7e70460f6a4f6a6aa27576bbfa31c7
-
SHA512
10835ff09e35d8acb2739707219905b3ae2870af973d8f80040baeb732eb798fa93ef1bc599ad9898aff8e20ee21aa1f5e5e07340eda205aa938fc001cd83a88
-
SSDEEP
12288:uDYDcpeu9jFBOBJfbudc68KqLie1+jKMwmUxlcdEVB3ks:usM9jFr8OeW5wmNdEVB3k
Score1/10 -
-
-
Target
bin/xxhash.dll
-
Size
46KB
-
MD5
70c514826d9428f184d27f0c8f397404
-
SHA1
e6b0b1a396de9913004d9bcaa230972686416bb6
-
SHA256
aff59e91d222b75b3e3ac789baba9e24eff99796261ae5e887ef9e3c28bb3d64
-
SHA512
168c63cbb54865ca42a884fd974291bcadd9dd8cf8bc1980148214e84498af42a590cb3d3a394765ee0b7d2e337fab6e85ff4f85d9ced97b92b540152202a0a6
-
SSDEEP
768:tziPp7yW4k3QDn24NuDUSu0MKQVMNKuxYAuogba4Mk3Q18swN1WQ8hi6U:tziR74kgDn2rDRuIrN5mAvgbTg18DN1z
Score1/10 -
-
-
Target
bin/zstd.dll
-
Size
638KB
-
MD5
5b96fb0d4e6453680da278f5b7e51a29
-
SHA1
3c96a29248fa3644de2c653a5d97c1e21b13a769
-
SHA256
1374391dafd6262795243a58f9fb234be859d940683fe756c64692ca807f0478
-
SHA512
27d06b7182aa48a81cce18f8f7b1bee054f3a862ccebd77d273a67c6a15e5d0ef5ba8fd7430976f445eb8bff51d290f2bb50061ac7ef448255ba8a18b8baf193
-
SSDEEP
6144:fbauYl+rrR8uT4uB5uWYfO16oMynnjDHMkYHbpk5tRCEybNFZemMBLx4uQ16aSG:fbauYGT5BYMxjDHMk0petRCEyb9emHO
Score1/10 -
-
-
Target
cver.txt
-
Size
5B
-
MD5
495063beeac89309a2247ce9c13ed292
-
SHA1
063ee00ca80d81e068dd404b59ceb2a03b2e7109
-
SHA256
b4116d6e880009dc1440ddab7ec054bcea529aea394ec5bab7943b415a359281
-
SHA512
cac6de984822cd7cf97611897611873cb5951b9a63f75a46a54aa6c0d2f3565419a1aa574c657df94a7057d85b99515753615b7336d96a7ff9463a0f3dbf3ffa
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
cxapis.dll
-
Size
12KB
-
MD5
d60ed50bd25555f3004d33b0655afc9c
-
SHA1
7ea3bb536ebdf7a534c4a026c58612d69d712a59
-
SHA256
4bc61c1b668faa12b27e107fd3c4fbe83b2b2a8f0285d8d5c6436a62bbcb081a
-
SHA512
888fae7c71e3e6d574c53331a6485649bb2da0b0c2c565822c696bc9f38ddd4c813f1cd808452e7a3c2cd01ee54586c631fe7fcd17324f9e67384a68d4c06a20
-
SSDEEP
192:shyp9xF/8zoQwCDLOzI1xCqVUhdK19/g2xKQ5KjvPgFM5R7Jra8VVUw:shyE1LAI18Wa2xKQUTuMtVH
Score1/10 -
-
-
Target
runtimes/win-x64/native/WebView2Loader.dll
-
Size
162KB
-
MD5
c9a5d0f278d57d83a03404b8baeeac64
-
SHA1
39d44b999c1d89c36136804a373d4d427bc7d679
-
SHA256
462b36fd1be6ca9f7563466a89e57c41ef4a4def3e0a84fa885d203aea4a3aaf
-
SHA512
97dfb08eae34624b7679a4bb07dee242b2a38324dc13b8aaec6de7f6fed477e9f9bc7474d4df9fbe907d1a460723db7177b7128a26edf5bd73d38d4d45722db6
-
SSDEEP
3072:fXAne8TlTRTSpL1ThTNTRyMDjRb/hy75HGRtVBviiZsZ5AalCPTxiEtJx9eg8Xjm:/yTlTRTUL1ThTNTRyeLq1GRtVBvPZsrw
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1