Pulse Detail — Threat Intelligence

PULSE NAME

Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon

WHITE Lamberts AlienVault 2019-11-21 Modified: 2019-12-21

IOCs

MEDIUM VOLUME

DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name, that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1007 T1013 T1036 T1043 T1057 T1071 T1082 T1090 T1107 T1112 T1124 T1134 T1140

MALWARE FAMILIES

DePriMon Lambert

Indicators of Compromise (2 / 33 total)

All domain FileHash-SHA256 hostname FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	c097cf17dc3303bc8155534350464e50176aca63842b0973831d8c6c8f136817	—	2019-11-21
FileHash-SHA256	8d35913f80a23e820c23b3125abf57901bc9a7b83283fb2b240193abdede52b9	—	2019-11-21

References (1)

↗ https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/