General
-
Target
a6ybp.zip.zip
-
Size
78KB
-
Sample
200911-99ezqla6nn
-
MD5
d3d855f2b859810cb4b09fdcc4feb3db
-
SHA1
67962afafcc38f752a944e1162fa9e4eacb89ad4
-
SHA256
c9779bfb55b855152347b89c2daa6987c5782aab933c0fc98f9aee50e2c53ba6
-
SHA512
52120aed552cfde60de6bbd45e77d174d6b8b8fc06502b5b80559610421487ada985cd32fe5844f4da8de8795cf2795bffee132011ce3dc37b5a222ce213004b
Static task
static1
Behavioral task
behavioral1
Sample
a6ybp.exe
Resource
win7v200722
Malware Config
Extracted
C:\Restore-My-Files.txt
lockbit
http://lockbit-decryptor.top/?96B283EF5B7ACD4CD0D00D70C0834F0A
http://lockbitks2tvnmwk.onion/?96B283EF5B7ACD4CD0D00D70C0834F0A
Extracted
smokeloader
2020
http://rexstat35x.xyz/statweb955/
http://dexspot2x.xyz/statweb955/
http://atxspot20x.xyz/statweb955/
http://rexspot7x.xyz/statweb955/
http://fdmail85.club/statweb955/
http://servicem977x.xyz/statweb955/
http://advertxman7x.xyz/statweb955/
http://starxpush7x.xyz/statweb955/
Targets
-
-
Target
a6ybp.exe
-
Size
133KB
-
MD5
5052c5edb614bae7449e4fe24466d312
-
SHA1
ac891f7448c5b5bef1e1b0d66fb6a020245131ab
-
SHA256
25f38d1847951f8cbf676cd97216c830462bb875c405f781ae053dd8fbfc83f8
-
SHA512
c67abfee80001aa589cfc823be86a41ce8ca29bcd01baf57ce588c0ace6a918c650699b397a7baf6948b65cc97e899a43eae55cc8478c7057d2696419a2aef38
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-