General

  • Target

    -π˜π˜™π˜Œπ˜Œ-𝓕𝓀𝓛𝓛-π—Ÿπ—”π—§π—˜π—¦π—§-𝐒𝐄𝐓𝐔𝐏.7z

  • Size

    19.0MB

  • Sample

    250704-xmwelsxtgt

  • MD5

    c59651c7b5428de3d94bfb87e01ce0bb

  • SHA1

    684442fe0f3178a7938fd7a416196942c72565dd

  • SHA256

    edb3b7063827beb3a720f64aa712844a8e12c1a042a842aad35c020ac4222f1e

  • SHA512

    54d6fd2392fc2159d1fa63d6485d3ae42931e35d7405c0db05d1824dd0ea46c41b739af6f79bd55af030080e36507a1c1b275cf4697c83bb0efc8687f140db6b

  • SSDEEP

    393216:0CbjgkERkPc3/OtUU3KuvQXnnG5gd4o47fVeDrE4HQGl6316Tbs:9s33/9yIXnG5FT792rXHQGU3ATg

Malware Config

Extracted

Family

hijackloader

Attributes
  • directory

    %APPDATA%\shtl

  • inject_dll

    %windir%\SysWOW64\pla.dll

xor.hex

Targets

    • Target

      𝑺𝑬𝑻𝑼𝑷.exe

    • Size

      3.2MB

    • MD5

      289250431113d46971278cff5d2a56fc

    • SHA1

      aeaf61a0d924731ce05fee01fd140df85f3b2d68

    • SHA256

      b8ef3a8efd03abacf7d711c0cc698fe95fb2984e39c02e39b5993c02eaef9dbc

    • SHA512

      8e578979ae672b15a43d198d1e6a9966f8393d97a2d7a65c871436b49d0a807f20952345057ea97423b8a50c11258e55c5ad5273cd676aefdfd72fdfbde368d5

    • SSDEEP

      49152:qgJAYksLnjmz21K3ikniIHRTf9RTTTih1r5Ipvy+Rp6tEsDYRW7s8UAT+qHk+6q7:OMjjrhs6tEsYyHU65pC9E

    • Detects DonutLoader

    • DonutLoader

      DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.

    • Donutloader family

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v16

Tasks