General

  • Target

    Feral Depths.7z

  • Size

    97.6MB

  • Sample

    250328-1dyp6a1yhz

  • MD5

    45cdefe8f307a7b1de3cbb8d260034d0

  • SHA1

    42daa574352d3349d999b0ce4f781780cc64868f

  • SHA256

    48e87793724ddaf0bda810e4a1d9859f9123dc753d78198af9c5f813e612c445

  • SHA512

    f322b5a01d14da4f3efafbff7a08da94d51d9a23400d85f30d8b264e455b870da88aef60e6a2c2fff42d1b981f38c20570c7e4654abf9426d878d862b9f8e469

  • SSDEEP

    1572864:tgcsQkUe1TdK5VTWzZTq/J04pYJ7cFqe4Y+0yDaGGXgQN2YE0h+XvOp+gRg8:tgPQk1cMm/i4i7cd4Ymt62YVgS+V8

Malware Config

Targets

    • Target

      Feral Depths.exe

    • Size

      98.1MB

    • MD5

      1f9e29546de030dddbbb222dd4cc3a3b

    • SHA1

      b3098ec3e12fc880dfd65e8365b68ebc76004422

    • SHA256

      722f7cf2ab16009ee0907fa887034ca8f88fac0b8067f3c54e69587335a94369

    • SHA512

      a0839a1de2c578b49889a018c782718bf53e239bb6dc951c684966a3d9f46f030761d4379fa29be3e9334471e7dc9ec4b69a5d88751ca922dc6c2864e560f2be

    • SSDEEP

      1572864:FXaHmwSnUuNZO/KHqpbp5K6dkePuqKQZaRrwLguql2ssjVo7EkwhvHCFjVs:FXKmDUEYVpE6jPu6ZaSTjjVUOdCPs

    • Renames multiple (109) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

    • Target

      SetupGame.exe

    • Size

      191.0MB

    • MD5

      a4f1551abd8f6d3a94061c8c21b1c8c7

    • SHA1

      182e448ba0b9ef1405232d8fafa0da8f735b7e8b

    • SHA256

      be5cf24e8c40828552780368515d428ebacb35ded4034a7297d4e5abd214cff6

    • SHA512

      b11c849e1eeb9fd3efd8fdf9a72598b51dae5906d64959b266190dc5518fdcdd892b2d84ffb37d39639fe8644f397947fc6a45aec3c534db4a325a3766798dbe

    • SSDEEP

      1572864:JpnoNjghwW/8lxj9UNia0SUp6esGCA/Ys92JDSN01TCwaMWPwVdWeKtT4ZuBF/Ak:kiryLxW

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks