Overview

overview

10

Static

static

10

Spoofer/RecClean.exe

windows7-x64

7

Spoofer/RecClean.exe

windows10-2004-x64

8

Spoofer/ru...on.bat

windows7-x64

1

Spoofer/ru...on.bat

windows10-2004-x64

1

Spoofer/ru...te.vbs

windows7-x64

1

Spoofer/ru...te.vbs

windows10-2004-x64

1

Spoofer/ru...ss.bat

windows7-x64

5

Spoofer/ru...ss.bat

windows10-2004-x64

5

Spoofer/ru...ut.exe

windows7-x64

1

Spoofer/ru...ut.exe

windows10-2004-x64

3

Spoofer/ru...en.bat

windows7-x64

1

Spoofer/ru...en.bat

windows10-2004-x64

1

Spoofer/ru...ox.exe

windows7-x64

1

Spoofer/ru...ox.exe

windows10-2004-x64

3

Spoofer/ru...id.ps1

windows7-x64

3

Spoofer/ru...id.ps1

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spoofer.zip

  • Size

    7.6MB

  • Sample

    250124-k2rczs1jfy

  • MD5

    12d87cd2b41c036b82386b620fecc273

  • SHA1

    4d2ce23c79a8f8206fb1c9ce16c235a3c696fec6

  • SHA256

    3fb7315786ca0509d9474f42492805fff4374cd46fbaee960ceb96686798e6cd

  • SHA512

    2255122f2c729fdee7294ecccc04b5bcd6928bc4763cb92e823937537a792a382607cf1b9cec37598114f9fff2a712488bfcb57102b0f8b26a7196bcbffa2b59

  • SSDEEP

    196608:AKhhOFvurErvI9pWjg/Qc+4o673pNrabeSyzWtPMYnNcsp:FqurEUWjZZ4dDLIehzWtPTNzp

Score
10/10
blankgrabberdefense_evasiondiscoveryexecutionspywarestealerupx

Malware Config

Targets

    • Target

      Spoofer/RecClean.exe

    • Size

      7.5MB

    • MD5

      5847a34a14c128f6446123a0e6477d68

    • SHA1

      bbee7bd5ace0ed47c025c2f30779ff900567b704

    • SHA256

      403a7d45e143efcfb4c0435a8d62db2cbaeb714f6a15cbfc4871135616edcdfe

    • SHA512

      d80ee3a98e854b44391a33d5e896b70ef78d98456d7ef81b14d81ccfd2476aa91b2327a8d0535c871bdbbe8e290e46695d9bf7fb22028eb6733788481fea7476

    • SSDEEP

      196608:+KhhOFvurErvI9pWjg/Qc+4o673pNrabeSyzWtPMYnNcsY:3qurEUWjZZ4dDLIehzWtPTNzY

    Score
    8/10
    upxdefense_evasiondiscoveryexecutionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/Button.bat

    • Size

      5KB

    • MD5

      96fefe69f2facf74197a8af3004a6167

    • SHA1

      80baf02b5d984dd8055ac3a6f42593ad98b78307

    • SHA256

      38aa0c1ad69d96732c776cbd73275f5ccb881d42158158b32815dad869ef9876

    • SHA512

      1aa6335a5cc340191613c52fa3e55625ed058abad8bd8d5ed1575bb9cd59b19e1fb3fcf3f5df199ea6f9b9d10bdee45e099c9247457b35ea65c7b1e403f0e888

    • SSDEEP

      96:X1UCLtcZQBjROHl4EF3r+QOAwD3MMcEzySfuP0wOYwwYW2s:XTeGBlqlXF3yDcMJ2+uP0wuwY7s

    Score
    1/10
    behavioral3behavioral4

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/Commands/Hidden/UnbanComplete.vbs

    • Size

      49B

    • MD5

      4edf8ecaf575c93e307bdce09aa46e8c

    • SHA1

      76c189b32fd69a3694e1dd14776cee1c1cc6c483

    • SHA256

      537f70f7b018610dfedd4bcecf041d845eab0c673e129185c2345eb68a95fe77

    • SHA512

      ce5921344aadcc9fce5141d416ca92e5772c1c37a0e8724c09c6c2ac579528a21e5fc8659c91db68810763b403fd9760d75102f6c22db84f8f5fe13fefaf6f1a

    Score
    1/10
    behavioral5behavioral6

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/Commands/Hidden/process.bat

    • Size

      1001B

    • MD5

      2d3f9b2d001abd6e58ac6f0e7337c619

    • SHA1

      7053a604a394f479b643783098adb056d69a404b

    • SHA256

      ef702ce2f8fb1bc71fb60e8b95cb83cef4fa66aa96afd7ca4fd67c96530b6e53

    • SHA512

      60d4a7e203e37194f4a78f1c581728197b3cd6581d70e185ba6d0d8206aca3a732319b28fef776028015615ebc0ab164a9c935081cd2496b866c63ad6358fccf

    Score
    5/10
    discovery

    • Enumerates processes with tasklist

      discovery
    behavioral7behavioral8

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/GetInput.exe

    • Size

      3KB

    • MD5

      2ba62ae6f88b11d0e262af35d8db8ca9

    • SHA1

      69d4ccb476cfebdf572134fead42a12750580e4b

    • SHA256

      3f5c64717a0092ae214154a730e96e2e56921be2e3f1121a3e98b1ba84627665

    • SHA512

      a984212245e401b68872623437a512898a00d71cca7d7b0aa6733663020cae92d50ce1ae3abafbd811542a77e72c8b6a5755492c07d6ddeb2642d908142c2ccb

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/Getlen.bat

    • Size

      1KB

    • MD5

      8c1812e76ba7bf09cb87384089a0ab7f

    • SHA1

      d3edf2ba081073139960a955e812e6bb7f63817b

    • SHA256

      83ce5342710a2f2e385a363402661e3426728dd6bcfe9d87e22f2fb858b07bde

    • SHA512

      618abe11f65fe95cdc1f1834bf24ddbbea789c971788af7d2248b880e53d11a3c4302bd8e3c3c36b934f5f7d975d1b142fae8fd23c9ed6cfa118c97e01f6fd14

    Score
    1/10
    behavioral11behavioral12

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/batbox.exe

    • Size

      1KB

    • MD5

      cb4a44baa20ad26bf74615a7fc515a84

    • SHA1

      2581868c3d560e2b200d4f21d83271430167b377

    • SHA256

      9553bc17fa0fd08e026c1865812b3388e3d5495a5394bbf671e5a8f21c79989a

    • SHA512

      d19e6d0ccd89e52efdd2363185564cf83fcf3a37b55659dd1fd8b6574cf45b6147989b2c7b1e8029ce8136aa7ff74900494c1a30bbb65b96d9880ab7f77b6140

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      Spoofer/run after cleaner/Monotone-HWID-Spoofer-0.0.1/hwid.ps1

    • Size

      3KB

    • MD5

      05673d49cc5f31e3d4812b7cb7419641

    • SHA1

      07b3b298b067439da6e6ae37e51bb1701c33165a

    • SHA256

      c7c54526b07f457e58d423ab22d61a0efd78ad112be2ef0a1efe6c25013df185

    • SHA512

      5f5f380a3cad0cf1aa95244d6b1fca4ccdd10c8c882e045405d5600f242b8ed3306f485a3396db9c362f345b79b03d2db79aad7a1d92f09167beea0acf524d32

    Score
    3/10
    execution
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks