General

  • Target

    spoofer.exe

  • Size

    72.6MB

  • Sample

    250328-w88rdszth1

  • MD5

    f06fcb2b9cf6e48c978de8140a9895f3

  • SHA1

    b4efe7dc8c3701f38daf2aaf74ef088d1ac48d04

  • SHA256

    b2665f90c1c54dcc77aa3cc62acde7f92101b570159a13dc7c5b774665a9bee6

  • SHA512

    b2ea578a7f59af51b81fb43f459dea81981310096290a83fb8e4a6c809b5f5e03938c4aebc0f721522471055bcf5a64a93b5f1d5cced4283941eec9b7188f15b

  • SSDEEP

    1572864:Y4gPXMouRfKSSloORl5ojezrH9PotADF1bp4HJNTD7dFGuzg07/R:Y4AcHRfmoORwjeNllpMNTF4uzg6R

Malware Config

Targets

    • Target

      spoofer.exe

    • Size

      72.6MB

    • MD5

      f06fcb2b9cf6e48c978de8140a9895f3

    • SHA1

      b4efe7dc8c3701f38daf2aaf74ef088d1ac48d04

    • SHA256

      b2665f90c1c54dcc77aa3cc62acde7f92101b570159a13dc7c5b774665a9bee6

    • SHA512

      b2ea578a7f59af51b81fb43f459dea81981310096290a83fb8e4a6c809b5f5e03938c4aebc0f721522471055bcf5a64a93b5f1d5cced4283941eec9b7188f15b

    • SSDEEP

      1572864:Y4gPXMouRfKSSloORl5ojezrH9PotADF1bp4HJNTD7dFGuzg07/R:Y4AcHRfmoORwjeNllpMNTF4uzg6R

    • Modifies WinLogon for persistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to get system information as a root user.

    • Creates new service(s)

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      LICENSES.chromium.html

    • Size

      8.8MB

    • MD5

      2675b30d524b6c79b6cee41af86fc619

    • SHA1

      407716c1bb83c211bcb51efbbcb6bf2ef1664e5b

    • SHA256

      6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081

    • SHA512

      3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

    • SSDEEP

      24576:cpD6826x5kSWSsRinoHnmfm646a6N6z68SH4SApTJ:cHSek

    Score
    4/10
    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    1/10
    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      81c363fc39264141b885c776da70578f

    • SHA1

      d964524264395028b9f1e0de39dce452f55f0340

    • SHA256

      9b5e61f5e55e95ef88a56ebe847dd1718cc9d7bef611e15a0c07e5683a1f5a32

    • SHA512

      add7056fa377c738e54495ae974baba01382e085ef200e0771b67b022e139fba3d401f67b9239a025c5c08ab7f78a1dcaee24115f0656799a9055d403c49d127

    • SSDEEP

      49152:2F5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQgSCu:2FvSkJXv+tiLAD0+DgS5

    Score
    1/10
    • Target

      libEGL.dll

    • Size

      477KB

    • MD5

      5630854322ee4e1f9591a0545b44cee4

    • SHA1

      04f4604b2aba7a185b9d7cde803dd8159adb599f

    • SHA256

      96050bf777c9337859ecad1746030542e5449c988890492fd604abcf10f3e995

    • SHA512

      5e2c237d81af76bd9703c75e36b577b21876c9c669d0b909777d39b7ac0445639e99bfed79f31498d0449540b7d110e919ad5313b5ff32628b32359bb801498f

    • SSDEEP

      6144:68hd1BSjuMmof2SEXVVfgV8hxN7h2NBIEOg51f0FticyQ:68DXSjZmof2SEsmN12NBIE7f0FticyQ

    Score
    1/10
    • Target

      libGLESv2.dll

    • Size

      7.3MB

    • MD5

      6170726e3fac951bc339ad3ec7bc3fff

    • SHA1

      fff178059369c4894466e9f458847f40941729e5

    • SHA256

      ee7bdb05f40ca11bb24bc0530775533ea0b3333507682ff64587be9b4aca7da3

    • SHA512

      27aa306196bf0c1dbad4986e2b05d3bb30d5416a7788fa91a5f67012f9aa476e7b5319ebd1a93589f49ffe15617723cbe79f23ca4edd58bc73342ffec9f00550

    • SSDEEP

      98304:LDRTxwF+JsIp05zu0uDqqvE9xLHvKMZ3R6hf:LDJlJsYQAqj/oF

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-0.10/deasync.node

    • Size

      7KB

    • MD5

      1e618351faea6e9c751b9ea4f9e876fc

    • SHA1

      238651059b169b78832118b41ea4177293e105e0

    • SHA256

      ba8d7856d6998e2b1dc31606ae2e4649f626158d9fa216ad8e9e2b2342f466b3

    • SHA512

      e732a594e71bb3f3421f6c1b690454f84893e3c15685d320b216f9f55c4b2020aab0ac760a24729b18c6ef7980abc6fd796c010b0389fdc634734b1f8af593c5

    • SSDEEP

      96:QSik5IkmaBWBP+JUIo1aY0EC0BXyPaKubFUAlKEcU1pp2j6tcqUH0rcf7aJuBz64:VX8pEUd1JC0BXiAbpcUi0wfYuhb4M

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-0.11/deasync.node

    • Size

      7KB

    • MD5

      e73515b1fb742bb08bca12e3b983c2be

    • SHA1

      b052e420c71f91b2aa7ad76f917e87fc640d844b

    • SHA256

      8c9a267ed39869a926b3606e0c10910a3fa6a6a1708b329b4361eb433b336675

    • SHA512

      0415634410e80051f6256ebefaf5f807b232f1266d4fe7c86b5b73d95cd749d3d48ec9996d287ac0f5cc6f46100388012d42e5e5e16a5e28c8791263f6fa20b0

    • SSDEEP

      96:BkAriBWBPhIAasI8EaLzUwpQ1FrhYSo/sQU9tX0yyYLM1R3O4xCgf77F60hBCB8c:CF8pSAKtZw8FrgCIqgf/hQmro

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-0.12/deasync.node

    • Size

      7KB

    • MD5

      e73515b1fb742bb08bca12e3b983c2be

    • SHA1

      b052e420c71f91b2aa7ad76f917e87fc640d844b

    • SHA256

      8c9a267ed39869a926b3606e0c10910a3fa6a6a1708b329b4361eb433b336675

    • SHA512

      0415634410e80051f6256ebefaf5f807b232f1266d4fe7c86b5b73d95cd749d3d48ec9996d287ac0f5cc6f46100388012d42e5e5e16a5e28c8791263f6fa20b0

    • SSDEEP

      96:BkAriBWBPhIAasI8EaLzUwpQ1FrhYSo/sQU9tX0yyYLM1R3O4xCgf77F60hBCB8c:CF8pSAKtZw8FrgCIqgf/hQmro

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-10/deasync.node

    • Size

      12KB

    • MD5

      32bfb4d8f7c93cf3514b03a54b5fdfe4

    • SHA1

      ade02a1cd5a63f30c9a8e9a59da7be1fa1da3af1

    • SHA256

      b85e37fdac8fae3edd6e9f0b6784c10bd81b7c4e67b24cf3c19f76ff0e260a39

    • SHA512

      c65799079acaabd4f941a8f40344aa60cd5797bb3010266e1f7b7e52821f2175bf4da081ce5cbb9f2d67cfbbdcd90f53012b1bca4e5160607a911e2fa76fdb3c

    • SSDEEP

      192:bd8p5FKBSGPZfYZTbbR2xgvZg4nqnljPg7hlFaWi/Zz47ABlo:b2FsQTbMuniljPh/By

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-4/deasync.node

    • Size

      12KB

    • MD5

      d75ef340d8ed8930e36cec41aea4c98a

    • SHA1

      489054dc8cd4d97b82cbe2bbe3e9ccd08c0c2aad

    • SHA256

      1a2941e905cde3b321092a881eb70fbf85ccc222314887f25fde0feb4f94476f

    • SHA512

      1738049f2f0ee1106a0ee44ccd268e7ae70f8288f8b348d7506fd0eff54119de8865abb8f15385621a7d25dc1874fcb30bf71fbc4f003f83c0890d6ddce1c94d

    • SSDEEP

      192:X8p55KBFvmwVI1n0zid2tYJgyhgf+Wqfl/ihs:s51YmJgV7s

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-5/deasync.node

    • Size

      12KB

    • MD5

      4792a2369c349b595f617a6eb21f0c23

    • SHA1

      02ea0b31ce914c552302d57df1812b8bdbe6edd1

    • SHA256

      2ff680b9fbad47817c48435847b128807f3a88d11ad8e0aa8791d8bb723b5b4b

    • SHA512

      6cf1cb74c7156d16285e43b0b0c22f065244588247c9698fac4a420990caf69d2d3422e80c07b0b1cc6866e4048717362d81c59877fa291ab9a009f5ec0791b5

    • SSDEEP

      192:G8p55KBFvmwVI1nLVid2tYugyhgf+Wqfl/ihs:N51lmugV7s

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-6/deasync.node

    • Size

      12KB

    • MD5

      4b29664ae4acc4b68b9c6ad3b4ee6013

    • SHA1

      5761104d4b77f2e2c73e69ed83c357aec857d43e

    • SHA256

      a5fafd14fa4d8fcad200363dcc6d030a6e95198cc5258cf8c9224f504563171c

    • SHA512

      c94b3c3dea65d94be91402cba19d211ce0c0fbe2b3019d12accfb5b0948c308f32c46650bdca3b09ec72e0274f4d8c197eeb4c4ff20001b7e0c826020abe4669

    • SSDEEP

      192:98p55KBFvmwVI1nLDid2tYRgyhgf+Wqfl/ihs:W51fmRgV7s

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-7/deasync.node

    • Size

      12KB

    • MD5

      a5260dffbf5f85686c5eae0b08ab8cef

    • SHA1

      bd338d5260253cb29a78020cb219fe154e4bbbcf

    • SHA256

      dac86300142aeb2c82afafb2be80bdbc15266716fd23006f39993204ec753b12

    • SHA512

      768a4d53f37b223af9503da5610675f1b63169d79e254177368f121ec869183ba30fb962df8ef0586b4a204477283f0008fafd8606181dfd10c83992298d6897

    • SSDEEP

      192:mz/8p5FKBF6mY3Rjlb7KcyYhXUb38mo94hlFaWis47Aalap:wkFTb1yYWbZoLs/

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-8/deasync.node

    • Size

      12KB

    • MD5

      59d10bfeb449924f8a94718f0c7f493d

    • SHA1

      c2a376a6b3e11bb08b220f5333b64c86db3cd4e5

    • SHA256

      390d514ecf093ddcb2059eda475eaba8047c8972fbb0c208f0a2cf7d07d0d622

    • SHA512

      471a057794e5b1a64af4a1d00cdb36d042d6b167294096eefc529fe2171e14636f7db0faca7ccb73bb8af9d88a9d2ebcf5ea4f80be0c35ac0dd72ca45549e648

    • SSDEEP

      192:m0/8p5FKBF6mY3Rjlb76cyYhXOb38mo94hlFaWis47Aalap:vkFTbFyYMbZoLs/

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-ia32-node-9/deasync.node

    • Size

      12KB

    • MD5

      05ab05e5f047b26b216531e724cca2c3

    • SHA1

      5dfa40b2b7a7767a25f7ff2b63f787e6dcf59b4e

    • SHA256

      2ef7e384231f3fe4ac83a75edd74ce86373258bd9ec33c9c640a02fbb5c40d03

    • SHA512

      b51b163e95b29e9f8248442218c47034020544d70651b31d656c1b9cb956a71bf7aee11a50d5f7138ad8cf77abe08159da64bece1237907e33d7f409d75ff050

    • SSDEEP

      192:mN/8p5FKBF6mY3Rjlb7KcyYhXsb38mo94hlFaWis47Aalap:SkFTbVyYubZoLs/

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-0.10/deasync.node

    • Size

      9KB

    • MD5

      7d3238fe9ff12cff8cbf681853b26937

    • SHA1

      c12555cf13707728226aa8367c5ad0fb1035648b

    • SHA256

      834598193babc22bee11867dd49fb5422b2c252682816fa33e25eb6b37fcb71a

    • SHA512

      936dc818bf479eb9b9f935990f1eb5e44d95bcc71d47ffba2f250aabcedfe51706906f728389c183ecdbab68af12ca980e7e3b359dc25a4ad6a9e1bd85e736fe

    • SSDEEP

      96:Ra71wUv+JUIo1aGE9nWi7n49bxHRgTlUprW+tQcVoutcOjW7q5tk5NOui+:RaWUvEUdQ9nWH7rAm5tk5b

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-0.11/deasync.node

    • Size

      13KB

    • MD5

      dab1d2054f5ebd0e6100f36bcd3812fc

    • SHA1

      7e4f0f53f8f5e244fd79ea802bc6b5ff1630dfe5

    • SHA256

      2c3b0d455b452b1126c644b5a4a345e5c1b1cb21fc32001b8566898e7e7ae0ad

    • SHA512

      d907353d326f81a7f64f01cc95f44646d29609d7fff3872414e6fb01ed5087a70be3264d824befe7ffbfb51b8d886da9cd9d71fe46f5e6fa34203e81be28744d

    • SSDEEP

      192:RI8pSAKtocw9vVXXazARVfT0a2gffhQmSBo:GAltnEARVfB

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-0.12/deasync.node

    • Size

      13KB

    • MD5

      1a70ddb29898bc9d35e4d7864eecb9ea

    • SHA1

      c9ebdc2e89969ab828a21334f6f9ee71f5cb7d6c

    • SHA256

      6f9538e90abc0a8d339776e8a154e3130886d69330c0b5e2b6676df941ff7984

    • SHA512

      d5583c66947842387d03b6fa256b1eb59c9ed45f1498f58e55795aa69f6fd766c3af884c04bfd936a2270f652d1d239301c97373866f2ed64ca57a8eb0a2464e

    • SSDEEP

      192:RI8pSAKtZwyX5cQVzY2lzArbc2BKgfQhQmro:iAkX5cmM2dA02BUo

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-10/deasync.node

    • Size

      29KB

    • MD5

      596a14f93497f29341a3666785eacee8

    • SHA1

      0d5ba208345becf71e47a2053f20718ec02a21bc

    • SHA256

      7a0d4b4c6892b92311f0ded43b816a9f59760f4f77399ddf36e3186776fb81bd

    • SHA512

      4d015f2a9fd86bcb3c29804960f7e6ce0403b65ca810b4b132736797cda6fc27037917e221914cafc0744ed7a7731bf405c2a73a922cdacfb36b4be91f5ae793

    • SSDEEP

      384:uhyhOovlbBshMReu6mv3xzCF4dmR9XKwfLhIDm7/gZJdtqxaA6FKocKyVJxKIe:ZbBVe+P1CFBIGo7dtxKzKkK

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-11/deasync.node

    • Size

      29KB

    • MD5

      f4d9e2d9e0d407b4f5e0834229e780ca

    • SHA1

      1c4bb7a5cf1ef024349b01bdb4578057438d3270

    • SHA256

      e52248e6e3c07da1eafbb75b24437834969e7e1c43e5239a81d4d5248786d305

    • SHA512

      b44221c0686ea6d90e59a7d86cdc77d2ab78074f7a076c0ec2a025ccf3c8356fc18babe24332005c7419ab476530e2b5e4e8a8bd37cd20a3cf87e876171e1128

    • SSDEEP

      384:ChyhOovlbB5xPYp9Ki2QD11mmPATFRjguIYNmK/WZSwEaA6FKocKyVJxKIeu:lbBcpcU1GREaNHqSwZKzKkK

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-12/deasync.node

    • Size

      29KB

    • MD5

      f4d9e2d9e0d407b4f5e0834229e780ca

    • SHA1

      1c4bb7a5cf1ef024349b01bdb4578057438d3270

    • SHA256

      e52248e6e3c07da1eafbb75b24437834969e7e1c43e5239a81d4d5248786d305

    • SHA512

      b44221c0686ea6d90e59a7d86cdc77d2ab78074f7a076c0ec2a025ccf3c8356fc18babe24332005c7419ab476530e2b5e4e8a8bd37cd20a3cf87e876171e1128

    • SSDEEP

      384:ChyhOovlbB5xPYp9Ki2QD11mmPATFRjguIYNmK/WZSwEaA6FKocKyVJxKIeu:lbBcpcU1GREaNHqSwZKzKkK

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/deasync/bin/linux-x64-node-13/deasync.node

    • Size

      29KB

    • MD5

      f4d9e2d9e0d407b4f5e0834229e780ca

    • SHA1

      1c4bb7a5cf1ef024349b01bdb4578057438d3270

    • SHA256

      e52248e6e3c07da1eafbb75b24437834969e7e1c43e5239a81d4d5248786d305

    • SHA512

      b44221c0686ea6d90e59a7d86cdc77d2ab78074f7a076c0ec2a025ccf3c8356fc18babe24332005c7419ab476530e2b5e4e8a8bd37cd20a3cf87e876171e1128

    • SSDEEP

      384:ChyhOovlbB5xPYp9Ki2QD11mmPATFRjguIYNmK/WZSwEaA6FKocKyVJxKIeu:lbBcpcU1GREaNHqSwZKzKkK

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discovery
Score
7/10

behavioral2

collectioncredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
4/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10