c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d | Triage

Sharing

General

Target

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
Size

223KB
Sample

200630-32fyp3mbsj
MD5

0b89e3e11d64e96a9eb841c297c3e795
SHA1

ee91492d04556958af32986a5f235a4c528c9178
SHA256

c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d
SHA512

d91acd5c4b45ef6b7f5a6a006c74e067e193bbac6beef17f5c8893fbed0e6f40d3cde335b21f1068a48f5ba6e4164616d568dcab58bb306c18a5fada16aed690

Score

8^/10

persistence spyware

Malware Config

Targets

- Target
  
  INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
- Size
  
  223KB
- MD5
  
  0b89e3e11d64e96a9eb841c297c3e795
- SHA1
  
  ee91492d04556958af32986a5f235a4c528c9178
- SHA256
  
  c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d
- SHA512
  
  d91acd5c4b45ef6b7f5a6a006c74e067e193bbac6beef17f5c8893fbed0e6f40d3cde335b21f1068a48f5ba6e4164616d568dcab58bb306c18a5fada16aed690
Score

8^/10

persistence spyware
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run entry to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

persistencespyware

behavioral2