Overview

overview

10

Static

static

10

'/account ...er.exe

windows10-2004-x64

8

'/account ...er.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    '.zip

  • Size

    5.8MB

  • Sample

    250210-bevmfsxmcp

  • MD5

    015298327f989b4bf9ca735ca4a4eaf7

  • SHA1

    3cb17056d5ab6682dc67dd0151c0d156b429a911

  • SHA256

    5f3f3eb5e215d70e57267301a50e2161c6079784e1aa9f07766e1dbf5f7e6856

  • SHA512

    0cfc141deaba1da1b96cb4685d3b1db974b1a7c21bd628b28b6d9c6a24addba771a98d7a6b5909c019017beb6f7f4396e70c4e4943ecbc7e3332d9c6cf8c1167

  • SSDEEP

    98304:bzssJVGfFn4+hT2osNXa/yRAhGmCPORe9/ccMKNpmrC2ClSFKUoUcBJf:fPStn4vRUIMac+Xmz1kUOBJf

Score
10/10
blankgrabberdefense_evasiondiscoveryexecutionspywarestealerupx

Malware Config

Targets

    • Target

      '/account gen loader.exe

    • Size

      5.9MB

    • MD5

      266eefb05c6be0a13b08e32a144df5a6

    • SHA1

      2efb3c8dbf424d5085c736e2304098154631674e

    • SHA256

      e14ed77b011d0957e6dd94b5f22c5a7c9f5f2e8545df2212dd36aa498e78ed71

    • SHA512

      935e4eeacc5bec3d37808c8243f843da203e1a3a72e58573f472e8a904ab3e6f7397112837c95126d0a620cc66a3b0183c2597d816cc11a591be66a876a78308

    • SSDEEP

      98304:JJDe7pzWqXr8MMhJMjarCtaCObO/OH9KkqQz4W1kgeD8FM843FMp3Y9:J0NzW5B6yA+KO0WRJi87p3Y9

    Score
    10/10
    discoveryexecutionspywarestealerupxdefense_evasion

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks