General

  • Target

    layemor.7z

  • Size

    77.8MB

  • Sample

    250501-3mc6xsxwbs

  • MD5

    5049cd27885c0313e9910521cba1369f

  • SHA1

    26fba37d81c45db929c854bd9112f8b34620e914

  • SHA256

    67133a6db3d3badb6ccc0cc51cf5395f2c50c9d4eed96782dc5e3756523eee1e

  • SHA512

    766540133593a213c68e07d0bd68f809ed4d1e3fb73a160e89262a1e849ec6ad5e1f5547a728aff0cafea63f67f694d4ea4703269c56ec027dfd32b5d711909e

  • SSDEEP

    1572864:nix4fPWweK4ZZSSB5Yl6p43cMpN1CY3+lm9zstfaagV2lLCGh:nfr4ZZSM5O6RMgY3x9zstzgKLVh

Malware Config

Targets

    • Target

      Layemor.exe

    • Size

      164.9MB

    • MD5

      1692d3c0aa131bdecd2f20446c96988e

    • SHA1

      ad4c2fa6b3101f8b94b2992f22215771e7e36853

    • SHA256

      ce05412da391972405cbd2cd918e01c69d94147b5067c6b66a97d98d7a8bcf75

    • SHA512

      996c6c5e4f8ddbcdac5b36cbb1b2307d576f4c64c333cfe134641dcb5b166c3542f3b1b8432928308472dc26c000f204d44e25f3dd332542c1b3584d05a9cce9

    • SSDEEP

      1572864:amIh9FimkfWTs6+LkanRWYS8a4lN+WTi6qSFK2u73JvPaKD2JsR2/tVBcpZOcrQD:QsFWY7ihS4kVP

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Enumerates processes with tasklist

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks