General
-
Target
BadwareFree.exe
-
Size
13.6MB
-
Sample
241217-rk27gs1nby
-
MD5
54c677a0a73492403a83b0001fb5b806
-
SHA1
98b6e28b81ac691fefa18075c1928950d0bfbf06
-
SHA256
b08c8ce738c0cc6b892729c671ac74ed4b4c925767eddc5fe245265de8d8bec3
-
SHA512
151714c74490ea324b857bbc08d3756c1f93b2ba24279a2f35d7b335d79fe7d5e923d471101ae30f7977914d556f661522f504c2f9f1c2153d92b004d8add367
-
SSDEEP
196608:a+FQywDgqKoxreNi1lT3urIo9Pbv+RwGWGIygf4reN/FJMIDJf0gsAGK5SEQRSkt:nwD3L1h3k9jWurGcf/Fqyf0gsfNSklL
Malware Config
Targets
-
-
Target
BadwareFree.exe
-
Size
13.6MB
-
MD5
54c677a0a73492403a83b0001fb5b806
-
SHA1
98b6e28b81ac691fefa18075c1928950d0bfbf06
-
SHA256
b08c8ce738c0cc6b892729c671ac74ed4b4c925767eddc5fe245265de8d8bec3
-
SHA512
151714c74490ea324b857bbc08d3756c1f93b2ba24279a2f35d7b335d79fe7d5e923d471101ae30f7977914d556f661522f504c2f9f1c2153d92b004d8add367
-
SSDEEP
196608:a+FQywDgqKoxreNi1lT3urIo9Pbv+RwGWGIygf4reN/FJMIDJf0gsAGK5SEQRSkt:nwD3L1h3k9jWurGcf/Fqyf0gsfNSklL
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-