Resubmissions
09/03/2025, 18:14
250309-wvp25axvd1 1009/03/2025, 15:53
250309-tb268svky7 808/03/2025, 20:22
250308-y5pv8asjy3 808/03/2025, 17:38
250308-v7ydlazrt9 907/03/2025, 15:40
250307-s4f9ssswaz 1007/03/2025, 13:18
250307-qj13cszzgz 306/03/2025, 15:59
250306-tfgfbssrs2 406/03/2025, 15:19
250306-sqa6mask16 805/03/2025, 14:43
250305-r3nf2s1tdt 805/03/2025, 14:28
250305-rtcm7a1ms4 8General
-
Target
test.txt
-
Size
18B
-
Sample
250305-r3nf2s1tdt
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
Malware Config
Targets
-
-
Target
test.txt
-
Size
18B
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
Score8/10-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
5Software Discovery
1Security Software Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1