Overview

overview

10

Static

static

10

nexus-valo...EY.exe

windows7-x64

7

nexus-valo...EY.exe

windows10-2004-x64

7

nexus-valo...TO.exe

windows7-x64

1

nexus-valo...TO.exe

windows10-2004-x64

1

nexus-valo...th.dll

windows7-x64

1

nexus-valo...th.dll

windows10-2004-x64

1

nexus-valo...tk.dll

windows7-x64

8

nexus-valo...tk.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nexus-valo-checker-main.zip

  • Size

    41.7MB

  • Sample

    250206-lre3mssrfp

  • MD5

    e1f9584d8cf103a2ca1c072a6c001c38

  • SHA1

    6e8a8cf33c133436095dd7efd20043206c9a6d9d

  • SHA256

    19546d9e6ed5ffee4518d758d28c822bd28a62f7ea31124c5a18e3c11c9d3aed

  • SHA512

    53e7dab8be09a433393ede0cbe44fe6fc7e22115f0ff7adc75a0d47596c82ffac0612757bdcb143ad56ca1f540081e19ded54fc994040e045825cb0dc5067845

  • SSDEEP

    786432:en/1rpMdow4jE48KlwRZm6M/JTo6CRGO3SB3i67HV47aT34i:G/1lMdowmE48+wRZVM/qGO3CiMV5

Score
10/10
empyreandiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      nexus-valo-checker-main/AUTHKEY.exe

    • Size

      24.1MB

    • MD5

      10915cf6269d9e936c006c3947efcde3

    • SHA1

      52101c768151144faf3460eea47fc3c9a8cf4e17

    • SHA256

      f47adecb91fae9d810102b39ff6be179e73fdb4f1aca13e50aa890a78b11de9c

    • SHA512

      7b165fbbdeb1e53004f468c54613bc30e6b88f77caf580129831085f9e62e274d594887ef55d5e25a2b1f796a6352437b87f51d6cee826b8c44b7ba24bdd8cc1

    • SSDEEP

      393216:/qPnLFXlr2ZzvdV14A+QhZw/UDOETgsvcGAhgndpMY3/66/TKmCP/:SPLFXN6zWA+QXuEa8kw/6x

    Score
    7/10
    upxdiscoverypersistenceprivilege_escalationspywarestealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      nexus-valo-checker-main/Nexus_PTO.exe

    • Size

      14.8MB

    • MD5

      d8c3acf551c8bed882e4ded939a2829f

    • SHA1

      b43964455628c95bc0ac961a96fb91680d828eed

    • SHA256

      f43a27b94dcc59b8ec24bc98461d467fd8d694269bccbd0893d1bba77149c097

    • SHA512

      2dfda1211e53e76607e0d4786a9de3993b9befd14683e862505bc148c18a223be9be4be90dbc129d98517222573fbddda652a20186d1a528c14a6863b21f4b6a

    • SSDEEP

      393216:18MiRMflXiOsRTH2mtGnqV5atidUdr9VkmscTXtXrq:1BiYXhmtGnqV5REVLTXtrq

    Score
    1/10
    behavioral3behavioral4

    • Target

      nexus-valo-checker-main/PTOAuth.dll

    • Size

      2.3MB

    • MD5

      ced7e9cdea3c1dceedab64214c6dcb83

    • SHA1

      73da7147478f83db810de4680e1e4fad13281a93

    • SHA256

      4287556856619243ab4546046cea447e2481b2e7a1e7a26855f28d49918bfd87

    • SHA512

      dee3a60236f044b7bee7baa384db5b9ecaa291d83583fa40cbac561e1419a481901a728d632653c150d5588ed29336fd64473e5ec5dbf11e7ca294c8dd278faf

    • SSDEEP

      49152:2COdg51mM0knpovqeMWgzQ41R9aMG9rZRikJNyVAuO2HA:2Jq5EkpEqeMbz9m3RZn/n2g

    Score
    1/10
    behavioral5behavioral6

    • Target

      nexus-valo-checker-main/stk.dll

    • Size

      915KB

    • MD5

      f1749e13c5e25da26a881aa81c82191e

    • SHA1

      d7d53c1e8073b28301743174da9d2705107a322c

    • SHA256

      1a2974a72b8fc9bedb514f6b79dcab5f039852fe39744ec65800fa7bc5f20e09

    • SHA512

      44f2e60359cc14e0d411541816a664e0886a81450173e3e0132c6988ff715fb1ce6c072d8fbdeb4f6939f00f11f60f9fef39ea54aff198ce9b02d845676c8419

    • SSDEEP

      24576:rjeya18c0p4jEpY3OLrebUAlvjx7r+vu:O7acA/paUMh+

    Score
    8/10

    • Blocklisted process makes network request

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks