General
-
Target
dogovor.doc
-
Size
8KB
-
Sample
210226-8fna5qyhja
-
MD5
372c2759cee22609b6b848e74eacdbc9
-
SHA1
e4e20687e2f8a8954bb11d4cdb40ce99dcb44b4d
-
SHA256
85c83d12212145e186408c1910dbc95a301a13a70e37a7a32b3e14c48c8b832b
-
SHA512
ca89e1ba5109b365355a9be780d5088c68b245974ab66033ee8b964a45a711430e99f8f4f167b555e52ebb8733b54d921b18f3736d052a55be353bc4c9009aa2
Static task
static1
Behavioral task
behavioral1
Sample
dogovor.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
dogovor.doc
Resource
win10v20201028
Malware Config
Targets
-
-
Target
dogovor.doc
-
Size
8KB
-
MD5
372c2759cee22609b6b848e74eacdbc9
-
SHA1
e4e20687e2f8a8954bb11d4cdb40ce99dcb44b4d
-
SHA256
85c83d12212145e186408c1910dbc95a301a13a70e37a7a32b3e14c48c8b832b
-
SHA512
ca89e1ba5109b365355a9be780d5088c68b245974ab66033ee8b964a45a711430e99f8f4f167b555e52ebb8733b54d921b18f3736d052a55be353bc4c9009aa2
-
BitRAT Payload
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-