Overview

overview

10

Static

static

3

MegaHack v...UP.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MegaHack v5.4 SETUP.exe

  • Size

    14.6MB

  • Sample

    250311-wyqsts1ydw

  • MD5

    21f8588ba383393390d76ca642d73183

  • SHA1

    292d500d0ab46c701b33a93284e99a5144078be6

  • SHA256

    85f9e216a24dd777f8e4b7db008128d402355eb93a316fa6ba6c6d8392720a19

  • SHA512

    6426425fcf4ca0ae1ebfbc5b1b91f86a4b9a1bb7a9dc1f648879d3f810c1e5a36d0f3b56effe1f204d0e1847eb93b0ca00fd7c5c2899a8097268f9eddfcbcbd0

  • SSDEEP

    393216:mEGDkj4i79yFTB3HWNmHrjAbh6pBKzd25iFsmF5cISZH:mnA/EFTB3RHyzQxmF5C

Score
10/10
guerrillaotpstealerdefense_evasiondiscoveryexecutionexploitinfostealerpersistenceprivilege_escalationratspywaretrojan

Malware Config

Targets

    • Target

      MegaHack v5.4 SETUP.exe

    • Size

      14.6MB

    • MD5

      21f8588ba383393390d76ca642d73183

    • SHA1

      292d500d0ab46c701b33a93284e99a5144078be6

    • SHA256

      85f9e216a24dd777f8e4b7db008128d402355eb93a316fa6ba6c6d8392720a19

    • SHA512

      6426425fcf4ca0ae1ebfbc5b1b91f86a4b9a1bb7a9dc1f648879d3f810c1e5a36d0f3b56effe1f204d0e1847eb93b0ca00fd7c5c2899a8097268f9eddfcbcbd0

    • SSDEEP

      393216:mEGDkj4i79yFTB3HWNmHrjAbh6pBKzd25iFsmF5cISZH:mnA/EFTB3RHyzQxmF5C

    Score
    10/10
    guerrillaotpstealerdefense_evasiondiscoveryexecutionexploitinfostealerpersistenceprivilege_escalationratspywaretrojan

    • Guerrilla

      Guerrilla is an Android malware used by the Lemon Group threat actor.

      trojaninfostealerratguerrilla

    • Guerrilla family

      guerrilla

    • Guerrilla payload

    • Otpstealer

      Otpstealer is an Android SMS Stealer that targets OTP first seen in February 2022.

      trojaninfostealerspywareotpstealer

    • Otpstealer family

      otpstealer

    • Otpstealer payload

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      defense_evasionexecution

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

1
T1112

Subvert Trust Controls

2
T1553

SIP and Trust Provider Hijacking

2
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks