General

  • Target

    SWIFT COPY REF _0678983536-751424400748_pdf.exe

  • Size

    660KB

  • Sample

    250507-k5pcssslz9

  • MD5

    e3808955cbbe76eeab8e5877f38c8317

  • SHA1

    103b54bc86439e25afad2eca14336a54ac3fc18a

  • SHA256

    49fda51d36f676d40da88b701660934a5e746c7df6c138a59d4192517e3618df

  • SHA512

    f045923827fea8640a8bbde0889fa58762d4e7d5d98bb8a050d9e654157f55d2890fe66d5681915b2345ec6aec0ebf0093757c8c9353092c0a4cbacf77ad2c04

  • SSDEEP

    12288:rEIzsB0Z2Pilb9RjpMJcNLCFIuCviJOSO1Po68eA2Sv6AglGE:m0kPilb91pMqTuIiJOj1Po68egCAw

Malware Config

Targets

    • Target

      SWIFT COPY REF _0678983536-751424400748_pdf.exe

    • Size

      660KB

    • MD5

      e3808955cbbe76eeab8e5877f38c8317

    • SHA1

      103b54bc86439e25afad2eca14336a54ac3fc18a

    • SHA256

      49fda51d36f676d40da88b701660934a5e746c7df6c138a59d4192517e3618df

    • SHA512

      f045923827fea8640a8bbde0889fa58762d4e7d5d98bb8a050d9e654157f55d2890fe66d5681915b2345ec6aec0ebf0093757c8c9353092c0a4cbacf77ad2c04

    • SSDEEP

      12288:rEIzsB0Z2Pilb9RjpMJcNLCFIuCviJOSO1Po68eA2Sv6AglGE:m0kPilb91pMqTuIiJOj1Po68egCAw

    • DarkCloud

      An information stealer written in Visual Basic.

    • Darkcloud family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      98bdb37511634dad8d1236d91d373b26

    • SHA1

      778cf74b4f8860cc378fa4e61aeba318197783ce

    • SHA256

      938580b466533dfa1461e9858fd106b60e1a52b713380915cc03afd3e4b4573c

    • SHA512

      5a7a903c2346750f20c0b41ceb6259bc7a5c9c6779acfeef94e0cea756aebabef58fdd83389353a165530279ec74ff20b903fc9a11acf475ef9471bd5e8d140e

    • SSDEEP

      96:CjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkND3m+s:nbogRtJzTlNR8qD85uGgmkNK

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks