General

  • Target

    12ac6f82a1d4f363803a8e9a694a3d2f7dccf9d5c9d44ca892f4593517ccaad2.exe

  • Size

    1.9MB

  • Sample

    250115-1jdbeawjc1

  • MD5

    e9fb5eb3105155ef55730d5e1ee7efea

  • SHA1

    291f5aeaf175624f29b83f5a64c2ebe0026e16ac

  • SHA256

    12ac6f82a1d4f363803a8e9a694a3d2f7dccf9d5c9d44ca892f4593517ccaad2

  • SHA512

    96db208b8e3da869b1ab2259b001d14f121ce5aad48186ecc89339b474e9dbed92b4ecb020eaa70939cf988836f3f4e2e83e66927185bd5abe6cf43b63d3a8cf

  • SSDEEP

    49152:4ycNDE8fDKs4F7Mlos4RUhMLPjzTzd0djxndnHdUMwCL:ZcNVDKsGcb4R0wjzl0lxnHfJ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://iplogger.org/1z4Te7

exe.dropper

https://iplogger.org/1GwCf7

Targets

    • Target

      12ac6f82a1d4f363803a8e9a694a3d2f7dccf9d5c9d44ca892f4593517ccaad2.exe

    • Size

      1.9MB

    • MD5

      e9fb5eb3105155ef55730d5e1ee7efea

    • SHA1

      291f5aeaf175624f29b83f5a64c2ebe0026e16ac

    • SHA256

      12ac6f82a1d4f363803a8e9a694a3d2f7dccf9d5c9d44ca892f4593517ccaad2

    • SHA512

      96db208b8e3da869b1ab2259b001d14f121ce5aad48186ecc89339b474e9dbed92b4ecb020eaa70939cf988836f3f4e2e83e66927185bd5abe6cf43b63d3a8cf

    • SSDEEP

      49152:4ycNDE8fDKs4F7Mlos4RUhMLPjzTzd0djxndnHdUMwCL:ZcNVDKsGcb4R0wjzl0lxnHfJ

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks