Overview

overview

10

Static

static

10

Mapper.exe

windows7-x64

9

Mapper.exe

windows10-2004-x64

9

build.exe

windows7-x64

7

build.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    minkoexternal.rar

  • Size

    10.5MB

  • Sample

    241226-kqwhka1mey

  • MD5

    0123f5ddd618ad998c85ba8bc18cf62e

  • SHA1

    0158b710080b5cd4279d9a05fbe3aff0f9a435fa

  • SHA256

    3f999b73e1e8d1a2d50952370ab205d446b6021560e9934f5148b1cbfba5e3fd

  • SHA512

    f484b363e865fa1bae555815a5412b66ae5847778d28e11c17e7accfb9c7f9372ee4f013c9db729ed85e991abe21f635411b1f3935ec788222cf4da268aec497

  • SSDEEP

    196608:lOLz9eNW2oK1O5oRXtt+TjeeH8VfnG9Le5BuqxBgMzvtb/e4Rr/KLF:kBeNXoK1uot+GYMBJxBnzvJXpQ

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealerthemidatrojanupx

Malware Config

Targets

    • Target

      Mapper.exe

    • Size

      3.0MB

    • MD5

      f360158f01156feddbcff28b19c2a305

    • SHA1

      d9fb6edd03401885f5fc81d0855461a8d4932414

    • SHA256

      6752bd7afba1d78337f63a53e81ff63bfb29efd3d9b9835985b2a9017fd0e0c1

    • SHA512

      12159a4ac831a1f6925544d1dee0e7a38aa789736f36b533103850c8201f8012e4fcd888d28400383a79e7ddf45526f85ca1189317739d595f7f24c80abf8e18

    • SSDEEP

      49152:CJFkF6AWVHSJQM54i/OtyynS0kM4d1s09qw7F8mQEY3dEH4BrU3ZbS9tsUADsYms:CJuzCS5j/t+73E1s0QTR3d6ruwjnmxm

    Score
    9/10
    evasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      build.exe

    • Size

      7.7MB

    • MD5

      6ac862f2a0c6944f957b3047c065cc37

    • SHA1

      718454d6429cd529d2447b3f9d7dae8a6322ca90

    • SHA256

      77f78f9b349a157bd4243efdb4d8d9826fad30609f82388f7c4af23092b12353

    • SHA512

      3b8408bc605ae79aaa7ec66d151039a0734cdae3838e8b92ac2ca75884564d15e86f22b865c42ec51fdab6ca3080b5f53316f7adba1abd7b1478fbd74837dca3

    • SSDEEP

      196608:YrD+kdBwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWM:450IHL7HmBYXrYoaUNv

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

5
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks