General
-
Target
run_848a9.exe
-
Size
1.7MB
-
Sample
211029-fephnahcek
-
MD5
67c86865ba800ab9f761356d4cc5c08c
-
SHA1
1f3dcc460c3fb02704e69cd8509445a92ac3600d
-
SHA256
8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d
-
SHA512
328c47921cfa939403736e63d0a5f5659dce3a916a44e6d0b0434ae4672bf96530a86cb19c2709a67914381fd8fc1c40b6e12209a35735743a8988a6166b50ff
Malware Config
Targets
-
-
Target
run_848a9.exe
-
Size
1.7MB
-
MD5
67c86865ba800ab9f761356d4cc5c08c
-
SHA1
1f3dcc460c3fb02704e69cd8509445a92ac3600d
-
SHA256
8dbbe3e8657d87e842026b7051a7b0680d3838749773997df91f123034a7566d
-
SHA512
328c47921cfa939403736e63d0a5f5659dce3a916a44e6d0b0434ae4672bf96530a86cb19c2709a67914381fd8fc1c40b6e12209a35735743a8988a6166b50ff
Score10/10-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-