Overview

overview

10

Static

static

10

New folder....9.exe

windows7-x64

7

New folder....9.exe

windows10-2004-x64

8

�qmǺ.pyc

windows7-x64

�qmǺ.pyc

windows10-2004-x64

New folder...is.dll

windows7-x64

1

New folder...is.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New folder.zip

  • Size

    9.6MB

  • Sample

    250131-cex81sxlhs

  • MD5

    ee3b8fb137da3b45ff45209c7deca5d4

  • SHA1

    38ff4421df63eec0ad4ba5a5172fe39d3307f468

  • SHA256

    eca32e9f0df9c63c1c40c41a4ce875647204b1ad16a4d6481fd0bbaf84137984

  • SHA512

    6f79d3fd0ea99cff6266413eea8a70b61f68c96ce99fc832bd284ec73bae263243cd4fcdc060442990e3a4bede8688a3901483d5eef33a3b594e19f9ddf6dd4d

  • SSDEEP

    196608:P6mzzktcqwBtcwfgj7cGrvT2cUME+tD1Tte6YyzAGL6B7tVNnRF4D:P6mptLgHLTjUD+XTATGuhFk

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      New folder/Extreme Injector 3.7.9.exe

    • Size

      9.7MB

    • MD5

      d11292c0ac47d4e94e7d559c8f78b1c5

    • SHA1

      b4844bb254aad45fbe0df4245984439f5866952f

    • SHA256

      dde48a18a10a2111c5668a88ae9c06b38cfc3f040f07ebe522d5739aacf9bce7

    • SHA512

      892b135aab6372b77830690a77a8460cccafecdbbc3a5faca804f5f98946cef06e306bbf43534c50d4213b6d7ddacaed767017d7d03092492159a16ad1e92c8c

    • SSDEEP

      196608:/7DRkd644/5cwfI9jUCBB7m+mKOY7rXrZu6SELooDmhfvsbnTNWA:TaK5DIHL7HmBYXrkRoaUN3

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      �qmǺ.pyc

    • Size

      1KB

    • MD5

      e9956c03357a8396bcbec84967949321

    • SHA1

      086129a4f34d6e4645e747cf5ce3dd58eec577a9

    • SHA256

      712523b49632a65650661db895f88e1b3d83c7c14c0248b446962c875e7eaa05

    • SHA512

      30b0a92e4f6a106af5b75c522d31f64179d82b65bed039a3c1c9c37f440c5e03a6abb5ee8920f5c4016f63a3113e2d32f1ec71e6a425fcb0eaa1d877b9faa5da

    Score
    1/10
    behavioral3behavioral4

    • Target

      New folder/KryptDis.dll

    • Size

      14KB

    • MD5

      49f8f3f3458a6d569be5b190de140bc9

    • SHA1

      8f82a43edf3e408fd07ab6fabc748bb086b357fa

    • SHA256

      4eb8c3d52db672ac7b11fcb73b6865cd05a53b78fcd33566b07313b4ca0c90d7

    • SHA512

      1b6cbdef0618a5c41ea81f1c282f53761e54cb4a08e38c59c9ce0d571adc1815fd1b8c99fcb221b2051608bae7fbdd14134f5d70081533a74bfa1399ebd1f25a

    • SSDEEP

      192:acLgKgN6ylAPz1t0U/Ef3tFwSLz1qyTSb0dyWDkp0vyDgzw1MefoHDTud:ZS6nPRiU/cFrn2b3M2oXu

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks