Overview

overview

10

Static

static

10

i965652f-m...ta.exe

windows7-x64

1

i965652f-m...ta.exe

windows10-2004-x64

7

i965652f-main/e.ps1

windows7-x64

3

i965652f-main/e.ps1

windows10-2004-x64

3

i965652f-m...de.ps1

windows7-x64

3

i965652f-m...de.ps1

windows10-2004-x64

8

i965652f-m...le.bat

windows7-x64

8

i965652f-m...le.bat

windows10-2004-x64

8

i965652f-m...ab.ps1

windows7-x64

3

i965652f-m...ab.ps1

windows10-2004-x64

8

i965652f-main/m.ps1

windows7-x64

8

i965652f-main/m.ps1

windows10-2004-x64

8

i965652f-m...st.vbs

windows7-x64

3

i965652f-m...st.vbs

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7.zip

  • Size

    8.2MB

  • Sample

    250117-gzv2lsvrcm

  • MD5

    be180e9117f8bd450654fd3dd237e555

  • SHA1

    e511d90fdf15492f57ada7866f633296f97d5b7b

  • SHA256

    9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7

  • SHA512

    faba17ca452b8233deea041638112e646a378fafbbd524c8563cccaa649a6ff39afa46cc1ba60e816a37b11fe25e3e28622b6cc808185db5d17ae19efd9b9aaf

  • SSDEEP

    196608:FGJ/PaNXBNjj2YmlXaB+GGWDKHQyVEUSydq:FGJ/PaNnH2YKXaUcys8q

Score
10/10
hackbrowserdatadiscoveryexecutionspywarestealer

Malware Config

Targets

    • Target

      i965652f-main/bdata.exe

    • Size

      14.4MB

    • MD5

      12addbbf49d12e2c778450e82318b409

    • SHA1

      aa873043dabf4eaaaa320f51263458fdae43f787

    • SHA256

      0408574004e2806bd4554ffa352578259ba1de668e17b251e5f254c9558df00c

    • SHA512

      e2bb4083548008c5c69a35bb4c4c37c6d6d39e80b002c7ea04b60d61f669560583d37c8a63e6b42766d491b55e9b0159980021314cbf080ddbbf90720b556fcb

    • SSDEEP

      196608:YNQEKojYRA87D6Ep0GtjQyErcSIKVRap8:IjYiqD6EWySccCp8

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

    • Target

      i965652f-main/e.ps1

    • Size

      1KB

    • MD5

      84ff3e215169b9d832bc5d9e94e2b22b

    • SHA1

      569437882641b3a97da7bab31fa8f651aaadce45

    • SHA256

      1a947ef7a88e807d24d3b93be78c522784f3e674126c6b94cfcf553874de4ffa

    • SHA512

      386abf7ce946f9e223d84b1b1d1f0a6a8c32fc7bc22c04e7fbbf5b655133922537c92f6b2dfabcd7efde6a1e7434d7dc510a3cdb366bb1d49535ee8b55c70945

    Score
    3/10
    execution
    behavioral3behavioral4

    • Target

      i965652f-main/exclude.ps1

    • Size

      979B

    • MD5

      22b7c77e64476f1842845f1529369794

    • SHA1

      b034134dfe982c73793a897278301d05a87a31a4

    • SHA256

      cdcfc9b6d8e0a133e249819859bd5d4aa303dd128ac326ce50d32dcfa884bc56

    • SHA512

      dd32593c528705522f6380ea4751c7c86a18d3a901094ef71babbf12f3ab5aee538052c033d7ca19d622af1b230e1a5fea627608e280b8913d8e63c85f69d752

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5behavioral6

    • Target

      i965652f-main/file.bat

    • Size

      302B

    • MD5

      ddc61d23e574068d2b66d21a7129ff2b

    • SHA1

      769713e5a4aea0f754f0dbc29bb5d6968a2c7e7c

    • SHA256

      c14eab4fb063ffca030c1e60b5f57b67e668af453a0281515845c79e5ba98561

    • SHA512

      d1bdb7fdc9d704758f29a2bcbe3568a085f9a95efeede529191c671dd30a255d95c960218e8064f7769b7865440fda741ecf235999cd0bb684571fef288f6f56

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      i965652f-main/grab.ps1

    • Size

      1KB

    • MD5

      bf95bc51a62fc80294a7088fc5551bfc

    • SHA1

      54b4805f6a1fa45179d4b8c0ef5e01f0528e11fd

    • SHA256

      b245958d5d98d1450d65b8848ba1618e81d85c0012530796f61b0b9e107eeb6b

    • SHA512

      b57e27a7ade7fcb79dfbe5bb3d562fab9fc0f4388696681e2b95c9c554ca00bcdd15e93f035b18e386cd0773bf2ccc72a747abf0b23ad176b8a935d220e8556d

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral10behavioral9

    • Target

      i965652f-main/m.ps1

    • Size

      19KB

    • MD5

      ae7ecc84f54e2c2bcf487aa73dbd3711

    • SHA1

      f027679582be774738753672b3819b03b295b7cd

    • SHA256

      fff35825b3c3869ee627d762a06e7045461b2fb8c600a9374c24e75aa48d33a6

    • SHA512

      95375f9ea9f8181ba38d497baa537bd54d3dc703a0e248ce0f95a9547ca5995e3a477cb23f2936cda0a3c02dc54f3a763cdc17bbc2226b32ff0225923f9f4c92

    • SSDEEP

      384:kQAGuyyWpsuwyCIyEpsuipzb6HK6qQBe66kQBIFZNzNfNNiFBs9NTNJFL6psujp0:kQAGMgKaip2gtkVNzNfNNB9NTND08n9T

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral11behavioral12

    • Target

      i965652f-main/svhost.vbs

    • Size

      1KB

    • MD5

      9ece58b626cb2036cdc1ff8b2cddbd6e

    • SHA1

      9b5303e6b1352e76c03e8b1eb62f5aae926f4a2a

    • SHA256

      09c43c5d316dbe800a65e341a42bbd8894d11eb9865f77851f3906035941ff61

    • SHA512

      60f93d48fa1c500517385b1916002bdedd2f5b8df9353e51c4d596502b3141f93fec9e3028538876ac495ba636d1b7557d41fdea2d16f849ac35e007841aa671

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Tasks