General
-
Target
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168
-
Size
352KB
-
Sample
200529-7vyvv1q9qn
-
MD5
166244c2351bf9c164a887f48b53882a
-
SHA1
263188e9bdeec2b13e3b4a19730eff44fb804c5f
-
SHA256
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168
-
SHA512
00f175762fa9dba2515cff3d61a13222ed7834f38cc7c66f17a1e1ae5421da323360bdae9873f1c615962b7cbf7527cffc0f5ef4c9a0df21c9d4ba64883663ec
Static task
static1
Behavioral task
behavioral1
Sample
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168.exe
Resource
win10v200430
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\howto_recover_files_mlwxe.txt
http://6fjhsy630.ylk768dhg67fj.com/61F5D9E75E5916CB
http://djru34dnd.lgk749kch8ej.com/61F5D9E75E5916CB
https://7vhbukzxypxh3xfy.onion.to/61F5D9E75E5916CB
http://7vhbukzxypxh3xfy.onion/61F5D9E75E5916CB
Extracted
C:\$Recycle.Bin\S-1-5-21-1231583446-2617009595-2137880041-1000\howto_recover_files_jlmod.txt
http://6fjhsy630.ylk768dhg67fj.com/5B4F49854903D7E
http://djru34dnd.lgk749kch8ej.com/5B4F49854903D7E
https://7vhbukzxypxh3xfy.onion.to/5B4F49854903D7E
http://7vhbukzxypxh3xfy.onion/5B4F49854903D7E
Targets
-
-
Target
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168
-
Size
352KB
-
MD5
166244c2351bf9c164a887f48b53882a
-
SHA1
263188e9bdeec2b13e3b4a19730eff44fb804c5f
-
SHA256
200bc25fa093ce65f41baa1c3efe02dcc238b04cb57a6fc5ee87da1e04d6e168
-
SHA512
00f175762fa9dba2515cff3d61a13222ed7834f38cc7c66f17a1e1ae5421da323360bdae9873f1c615962b7cbf7527cffc0f5ef4c9a0df21c9d4ba64883663ec
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash
-
Modifies service
-