blankgrabber | 9589448fe5eaa68a5ebf0e5895f9ea33282f74bd1aea72bb797963afde649e24

General

Target

PlutoForce.rar
Size

33.5MB
Sample

250218-ldl9ssyrer
MD5

69bc35d6b2349af1f078b8b8106310dc
SHA1

730791a755670301cc33a4b7d073af6c4b1a33c7
SHA256

9589448fe5eaa68a5ebf0e5895f9ea33282f74bd1aea72bb797963afde649e24
SHA512

971549f7f93ccd573bb2e4c775ddb02b258e6945e7f13bb1aae449096ae841bb4e8247c0c299c6b42d92f8f4ebf9c2ba65f78ff68038d6245c85a56f71d7dba8
SSDEEP

786432:FrVdcTWpg1fTCyoEcYSoOIm9WLF+Bt7wvweHQhdx4:FrVdc6CCHcG9kMxewhdu

Score

10^/10

Malware Config

Targets

- Target
  
  PlutoForce/PlutoForce/FixedBuilder.exe
- Size
  
  32.3MB
- MD5
  
  11306d40b27d364f4404ee6581ee3753
- SHA1
  
  694ca56e9f691c952db01cbe8f674043d504429a
- SHA256
  
  c50df16135cdfea43185a54b0b831a95d647f97c3f8d9774bc45e3df0ad2ea6f
- SHA512
  
  45c9d459810a7fbe80c8a2913d3340d2f41a67cdcb2c03379a8d7f402a7a3f43f285c74404fdb05c1334be259cd4794cf75265c56102ac212b3eee486c1cb242
- SSDEEP
  
  393216:wCkry0xZPRorsYLauqWJTRGlMcD1bpY7D9sKWvyEXhoyhRD2NxpCt6B8Mha69aps:VNs3sJ5IeDWK4DixpTNkp/68Vg
Score

7^/10

discovery execution persistence privilege_escalation pyinstaller spyware stealer upx
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1
- Target
  
  PlutoForce/PlutoForce/PlutoProgram.exe
- Size
  
  300.0MB
- MD5
  
  714506b369ebd3a445ecdcc922b1d259
- SHA1
  
  d8df1ed79a24cba7fd1dab33c59ff9cfcc374eeb
- SHA256
  
  a34da5e4ce25f55eeed2c40aa30512bb896cc648354ce896436b5593fd35ef58
- SHA512
  
  dd92bc2d0728289a9b79ce1d98110a45d4c48d04e12424bc76e09a22d28149083c8ed63489b174ebd1e271d75866bf44ab8b3d7eaba6a867f049b18fe3a46013
- SSDEEP
  
  196608:NWo20HveveNTfm/pf+xk4dWRimrbW3jmyr:12sy/pWu4kRimrbmy4
Score

10^/10

defense_evasion discovery execution upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2