General

  • Target

    SystemLanguage.zip

  • Size

    7.0MB

  • Sample

    250210-wmftgs1mav

  • MD5

    e85408b2eed92ba2e81129b1fcd337ab

  • SHA1

    49acb19a56382c3f155820364d342d95ac817a0d

  • SHA256

    710d9f879bf40d30248cb4aa3f23b216d5702021451ef7f7d445abdf85d851b0

  • SHA512

    c3b02b93d9edda644388ddddfc4b72f7acbe6469e6410ecdfcbe33fd3069f2e54e361e7367c070366073ba27ff15accc1299d9dae07614818ffbe6e0133acbe3

  • SSDEEP

    98304:Hx25WgvEGxrac5KKlhO+4u1BMjvHkQP4pvzhqADX80iH2I3Pyj7KvkYTprsy07ek:UsUEGzEKG+4uyPRPqzhqADs0i+wrQck

Malware Config

Targets

    • Target

      SystemLanguage.exe

    • Size

      7.2MB

    • MD5

      5f6bd390091f33aaae5fd29c12096309

    • SHA1

      2d2afedeca2d770d0b82aa114f343cd67accf5e1

    • SHA256

      85b9d581f0fb0c6000e5586d0aad392c7af2314d59eae33543a38d5d35d5160d

    • SHA512

      cdb64c283d66deb33c1ec2edab28c79af767b0f30f2265c793dbc0879b23a65d0a8e26d3758a04cceaa24ec4c712b3c8720f0d4ad7db3cfe144613c8c14bb892

    • SSDEEP

      98304:aB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:XcUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks