Overview

overview

8

Static

static

3

ssleay32.dll

windows7-x64

3

ssleay32.dll

windows10-2004-x64

8

libeay32.dll

windows7-x64

3

libeay32.dll

windows10-2004-x64

8

b72fj645/libeay32.dll

windows7-x64

3

b72fj645/libeay32.dll

windows10-2004-x64

8

b72fj645/o...ai.exe

windows7-x64

3

b72fj645/o...ai.exe

windows10-2004-x64

7

b72fj645/ssleay32.dll

windows7-x64

3

b72fj645/ssleay32.dll

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    auto.zip

  • Size

    4.4MB

  • Sample

    250214-ygme7axqgw

  • MD5

    73a03af2cba61e6e2d00cc0b58c37d60

  • SHA1

    96541def528d7703214734a1beebe4388e50ee48

  • SHA256

    07c66f1d4ddafad3bb6216c2a2640885b554f5cf964a83923279e6d995c84863

  • SHA512

    db769f91106d8f0cb71553fd2d60a9c47fa211c75686da65521c07d734369441344c6329c0685078b51649bbe373454307bd7d2b0ef47a235b675623fb6c79bd

  • SSDEEP

    98304:d+M01jILb7bbz/KO7X0S8mkMYelWoVpdcD4DIRJS3J3L:djvLb3HCa0SVVWoVjIKIiJ3L

Score
8/10
adwarecredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      ssleay32.dll

    • Size

      330KB

    • MD5

      284e004b654306f8db1a63cff0e73d91

    • SHA1

      7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

    • SHA256

      2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

    • SHA512

      9c95824a081a2c822421c4b7eb57d68999e3c6f214483e0f177e1066fe3c915b800b67d2008181c954ad0403af0fa1ade3e4ea11d53ab7e13f4a3def9f89cf4f

    • SSDEEP

      6144:HZcUmTisWdw0HCXs2r84u5B//+AN7tpkKFsh1TW1Q4PQgu/7r2cEfXKrryAdH/8m:HZcUmGsWdw0HCXs2rdu5B/WAN7rkKFol

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral1behavioral2

    • Target

      libeay32.dll

    • Size

      1.3MB

    • MD5

      de484d5dafe3c1208da6e24af40e0a97

    • SHA1

      3e27b636863fefd991c57e8f4657aded333292e1

    • SHA256

      007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

    • SHA512

      e871ba131965331dcd6e7ae0ef02734e157676c7d2bba791dae274395eaac90df3e0851bd67f1e12461287860281d488e7e82c9c11cbf4657052eec78f678c3d

    • SSDEEP

      24576:j3mX+KpPUqBeo0DN9d4gNIm0rsZBYddjpO3qJkBYEECY:oMaeZ74gNIm0rVdxpO3qKBZEC

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      b72fj645/libeay32.dll

    • Size

      1.3MB

    • MD5

      de484d5dafe3c1208da6e24af40e0a97

    • SHA1

      3e27b636863fefd991c57e8f4657aded333292e1

    • SHA256

      007342c6b9b956f416f556b4bd6f1077e25bd077cc4f4ac136e3fccb803746e3

    • SHA512

      e871ba131965331dcd6e7ae0ef02734e157676c7d2bba791dae274395eaac90df3e0851bd67f1e12461287860281d488e7e82c9c11cbf4657052eec78f678c3d

    • SSDEEP

      24576:j3mX+KpPUqBeo0DN9d4gNIm0rsZBYddjpO3qJkBYEECY:oMaeZ74gNIm0rVdxpO3qKBZEC

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

    • Target

      b72fj645/o83ln6488ai.exe

    • Size

      872KB

    • MD5

      c56b5f0201a3b3de53e561fe76912bfd

    • SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

    • SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    • SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • SSDEEP

      12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

    Score
    7/10
    discoveryadwarecredential_accesspersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral7behavioral8

    • Target

      b72fj645/ssleay32.dll

    • Size

      330KB

    • MD5

      284e004b654306f8db1a63cff0e73d91

    • SHA1

      7caa9d45c1a3e2a41f7771e30d97d86f67b96b1b

    • SHA256

      2d11228520402ef49443aadc5d0f02c9544a795a4afc89fb0434b3b81ebdd28c

    • SHA512

      9c95824a081a2c822421c4b7eb57d68999e3c6f214483e0f177e1066fe3c915b800b67d2008181c954ad0403af0fa1ade3e4ea11d53ab7e13f4a3def9f89cf4f

    • SSDEEP

      6144:HZcUmTisWdw0HCXs2r84u5B//+AN7tpkKFsh1TW1Q4PQgu/7r2cEfXKrryAdH/8m:HZcUmGsWdw0HCXs2rdu5B/WAN7rkKFol

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks