General
-
Target
IMG_578_60_28_61XLS.exe
-
Size
560KB
-
Sample
210413-bwtfgydtqa
-
MD5
5ea03c09bf25d3d79ca5a936a18c0ae9
-
SHA1
13806150e3063f266b2fa752a517a4dff3bea533
-
SHA256
18cfa8c68fe25199694faf0d2e9fe0fe86e872b1c20620098a68309ade161000
-
SHA512
2c15022a942ba5dc97425c614972fda775645bf01c9b9a063b0aae5f3dda5da16304016c9e4598aff70af887ecadd1946f34b18d43d82fa08ab31c8ab9ae2ab3
Static task
static1
Behavioral task
behavioral1
Sample
IMG_578_60_28_61XLS.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
IMG_578_60_28_61XLS.exe
Resource
win10v20210408
Malware Config
Extracted
oski
novget.com
Targets
-
-
Target
IMG_578_60_28_61XLS.exe
-
Size
560KB
-
MD5
5ea03c09bf25d3d79ca5a936a18c0ae9
-
SHA1
13806150e3063f266b2fa752a517a4dff3bea533
-
SHA256
18cfa8c68fe25199694faf0d2e9fe0fe86e872b1c20620098a68309ade161000
-
SHA512
2c15022a942ba5dc97425c614972fda775645bf01c9b9a063b0aae5f3dda5da16304016c9e4598aff70af887ecadd1946f34b18d43d82fa08ab31c8ab9ae2ab3
-
Modifies WinLogon for persistence
-
Downloads MZ/PE file
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-