Overview

overview

10

Static

static

10

CatPublicFr (2).exe

windows7-x64

7

CatPublicFr (2).exe

windows10-2004-x64

8

���>VB.pyc

windows7-x64

���>VB.pyc

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CatPublicFr (2).exe

  • Size

    12.9MB

  • Sample

    241220-vkf6ss1jgr

  • MD5

    741e25e8d170e8d4a1983f8945756f22

  • SHA1

    c35153f7fb0888598f65d438b270fe837cdc9fe8

  • SHA256

    ea63c1b79503aeca26e1666eabd3ffd6f852f3e4d1b436d1fa7b592b18d4eb44

  • SHA512

    d1761e6861728b03c15236de0d15c527d9b87276d15134cc9d5d11a89a29d045a596126c7d32373c225cdceba9e7701b5286e44f12a0d0a65402a9f52bbee606

  • SSDEEP

    393216:u6Px4ae4PT1Qmrmykx4APurEUWjZZ4dDLIeyzWtPTNzx:dx4aBhQb7GYdbZZ6geNNF

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerthemidaupxvmprotect

Malware Config

Targets

    • Target

      CatPublicFr (2).exe

    • Size

      12.9MB

    • MD5

      741e25e8d170e8d4a1983f8945756f22

    • SHA1

      c35153f7fb0888598f65d438b270fe837cdc9fe8

    • SHA256

      ea63c1b79503aeca26e1666eabd3ffd6f852f3e4d1b436d1fa7b592b18d4eb44

    • SHA512

      d1761e6861728b03c15236de0d15c527d9b87276d15134cc9d5d11a89a29d045a596126c7d32373c225cdceba9e7701b5286e44f12a0d0a65402a9f52bbee606

    • SSDEEP

      393216:u6Px4ae4PT1Qmrmykx4APurEUWjZZ4dDLIeyzWtPTNzx:dx4aBhQb7GYdbZZ6geNNF

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerthemidavmprotect

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      ���>VB.pyc

    • Size

      1KB

    • MD5

      f8d13e82af49b82f4296f79d02632e1d

    • SHA1

      3714c43a1dd52be887cd00db24c8721e0224fd41

    • SHA256

      00d5372bee7fd16e30a52a02f2ccea0343bd8d520b735a7b97b236e7335c5c20

    • SHA512

      e191b8a0b99a953a7f1e4936235f501845ddd2f46621bf9910fcc45ab3c394bebf6405ac8e8eb0b87a98625ab4af9c589c462ae8539c43a1a37983bc02a7e4de

    Score
    1/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks