Overview

overview

10

Static

static

10

Spotify.zip

windows10-2004-x64

8

Spotify/Spotify.exe

windows10-2004-x64

8

&́��_.pyc

windows10-2004-x64

Spotify/spotify.bin

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spotify.zip

  • Size

    6.8MB

  • Sample

    241227-1fv22szpdy

  • MD5

    e379c12a1b24836cca20d27ff690d4f1

  • SHA1

    5630a21e177f4d41bfcc62ab3b55cac6ff6998ac

  • SHA256

    2f3272c5f72ab7029e8174c2285da91c71fa24a64f5201dd9a5d68f93378334a

  • SHA512

    88adeeff664312efe8c6af71e155018fa7da3729189909c9a48f1a284f50702535973df8c96a95ebdc752c658ab8403276317b1bec6ab44807b7d1337ba6678d

  • SSDEEP

    98304:fImhhW42rEgcmQr7qAsm+H93VeyipZ2PWaP3IVhZ6McTIcr4DaXcLvVO1+OFJcMe:nA6vqbeVZmDP3IRcMzLo1+GLlqfNAUb

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      Spotify.zip

    • Size

      6.8MB

    • MD5

      e379c12a1b24836cca20d27ff690d4f1

    • SHA1

      5630a21e177f4d41bfcc62ab3b55cac6ff6998ac

    • SHA256

      2f3272c5f72ab7029e8174c2285da91c71fa24a64f5201dd9a5d68f93378334a

    • SHA512

      88adeeff664312efe8c6af71e155018fa7da3729189909c9a48f1a284f50702535973df8c96a95ebdc752c658ab8403276317b1bec6ab44807b7d1337ba6678d

    • SSDEEP

      98304:fImhhW42rEgcmQr7qAsm+H93VeyipZ2PWaP3IVhZ6McTIcr4DaXcLvVO1+OFJcMe:nA6vqbeVZmDP3IRcMzLo1+GLlqfNAUb

    Score
    8/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Spotify/Spotify.exe

    • Size

      7.0MB

    • MD5

      0e5f390e7694600ffe6cebd8cc8acd37

    • SHA1

      31d923931ca0697a054c9c8e025c81780cba0146

    • SHA256

      7ca23f18cfd17c4b5b99e95accbb5c493d0b05511872b2b234d9a2b64a8d2597

    • SHA512

      a463510eb524a1e26851f26693b474b3295721b7f476807d1feb000c7ca20f17aa3cc16668c74524e427bf72e0ec067133b7ce23d6249e22e2f2099c97c900bf

    • SSDEEP

      98304:WRRDjWM8JEE1FX76aamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRiYRJJcGhX:Wr0Z6zeNTfm/pf+xk4dWRimrbW3jmyi

    Score
    8/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      &́��_.pyc

    • Size

      1KB

    • MD5

      ca69ce88ea8db8a3bbd5994aef561ac8

    • SHA1

      6708982e36e379ea1598ca7169f54682355d96d4

    • SHA256

      ddb300695a837330464dbfcdef57451f02246a7b7ca76ecfbe142ad4b70a4851

    • SHA512

      b3394b7a3edd49f56afe7eac370fab6377900868a03732ea7c4c74eb063e4b4dcc0e01c00e8eee65b8c378f025c3a528ade4c7bcb9c5195667c9e6d66148dbed

    Score
    1/10
    behavioral3

    • Target

      Spotify/spotify.bin

    • Size

      26B

    • MD5

      d75e91af6e303f84b7f1369380480e3b

    • SHA1

      66f89e0bb667b30a54d60573d748f7d42d685763

    • SHA256

      f48cd7cfe904f09688ffc1f50439b07707e8790c119281d88dd27db654d947d6

    • SHA512

      f766dc22885f59488194c1797a976a76230c432e0356f0a5c052efe22bd7393bc1bb5be18c405f49989790825be09639b53244cce135e639d798874788e99cca

    Score
    3/10
    behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks