Overview
overview
10Static
static
ScanClient...1C.dll
windows7_x64
1ScanClient...1C.dll
windows10-2004_x64
4ScanClient...l1.dll
windows7_x64
1ScanClient...l1.dll
windows10-2004_x64
4ScanClient...em.dll
windows7_x64
1ScanClient...em.dll
windows10-2004_x64
4ScanClient...rd.dll
windows7_x64
1ScanClient...rd.dll
windows10-2004_x64
4ScanClient...te.lnk
windows7_x64
10ScanClient...te.lnk
windows10-2004_x64
10General
-
Target
6245829281742848.zip
-
Size
453KB
-
Sample
220208-r51t6ahdb3
-
MD5
61cc4e3184588e79a3a6d93202e492f8
-
SHA1
f84f03679447a51c941527f047c324bc341e67d2
-
SHA256
46f18091cf10d22dfb79b372c9c0d44f3547ec2fb9f0f7c772ef08b33ed53a83
-
SHA512
0066d2f81b0325eb40492f8b91f78af1ef8fc1655c98bd523ff96d1ae6079ab5adf90432d3091dfcf4a8592b76c83ecc6c89c2028178b5ad9b00a18813cb8c61
Static task
static1
Behavioral task
behavioral1
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ScanClientUpdate/KM.EKeyAlmaz1C.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
ScanClientUpdate/KM.EKeyCrystal1.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral5
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
ScanClientUpdate/KM.FileSystem.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
ScanClientUpdate/KM.IDCard.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
ScanClientUpdate/ScanClientUpdate.lnk
Resource
win10v2004-en-20220113
Malware Config
Extracted
cobaltstrike
1359593325
http://doggroomingnews.com:443/storage/main.woff2
-
access_type
512
-
beacon_type
2048
-
host
doggroomingnews.com,/storage/main.woff2
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAFX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAABV9fdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
15000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCme/zaiZGT7pLjqDAy16p3eFtu90inaA2f41oeA4p/oHZuEumSy882EEc1UdIdb1t55cOwN7OQrfDBkRhcI9ZJuFVHFjb+O01lf9ppl+xBjW0Z7rjpo8RLJCmwNWyymCD1iQJuG0DSkU+RTjZPelztOIFqJS9twRnuhA7wGUGgkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
5.76066816e+08
-
unknown2
AAAABAAAAAEAAABjAAAAAgAAAGQAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/storage/page.woff2
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4183.83 Safari/537.36
-
watermark
1359593325
Targets
-
-
Target
ScanClientUpdate/KM.EKeyAlmaz1C.dll
-
Size
165KB
-
MD5
021e42c964102fd263d474427ee78193
-
SHA1
8a6227b6db02b8ba278e13ccd6eece907e3657f0
-
SHA256
2fbe9b3eda5da1e2eded989941fdbb4e967245a53231d9c0c9333eb6486215c7
-
SHA512
d517bcb9cfdd4082242ed6a2d12abef54db5fb31da19ce3d91665268a9006a9d9cda69bf28a8395b501df1cc8b22d0968b7af965e8a120c2db6c1f85c2e528e2
Score4/10 -
-
-
Target
ScanClientUpdate/KM.EKeyCrystal1.dll
-
Size
78KB
-
MD5
c21cccc561ca98da7ec8ef95b48ab8a7
-
SHA1
0fc6747f2bd560326ca40e76babd086420b184a8
-
SHA256
83b3bfd458fd458c6e95a1b580adb5c8b7e0e029468d348ea05879638a9aa243
-
SHA512
35831e39e8e3c1e90d284ffd8afcb60c1c5e84014aef6d02e736257e2f68bdb9c92e1797fcaf167515b52d9be2f5e0dd2d7825a7de6af8d56340d3103536767c
Score4/10 -
-
-
Target
ScanClientUpdate/KM.FileSystem.dll
-
Size
282KB
-
MD5
66534e53d8751a24a767221fed01268d
-
SHA1
fc781887fd0579044bbf783e6c408eb0eea43485
-
SHA256
3b94cc71c325f9068105b9e7d5c9667b1de2bde85b7abc5b29ff649fd54715c4
-
SHA512
1f1b784b280bc34761ae93893ae7d95ebc6e5515542f153df7c91b00adfa796b3b2bee1a5857e0bb07d13c93b4df0eec3e1fd85911c79153b2d6c824a3a79369
Score4/10 -
-
-
Target
ScanClientUpdate/KM.IDCard.dll
-
Size
224KB
-
MD5
f7fa5d0c24b508e4be1bd11ad15a7971
-
SHA1
d0efe19b25d1cf63ab131653e60c6fbae5271df5
-
SHA256
44f79ddc089fbcd5325f7786389b22dd99cdaa0c5d0857248f78a3f9abd542d0
-
SHA512
70cfbeb64728c14d38661264d5c422e36162a56805f7d20f5b288346e87394724b00b079f6145c2cc75bf2598a2796184092c7f0e6e92af30ec03e94f933414b
Score4/10 -
-
-
Target
ScanClientUpdate/ScanClientUpdate.lnk
-
Size
1KB
-
MD5
d98d2caa6e63ca70c245e1d6eda2100b
-
SHA1
44b1884801c72dc8b218298aa1c537c69f2dfbfa
-
SHA256
74202eed181e2b83dd0ab6f791a34a13bd94e63e86b82395f9443cb5aeddc891
-
SHA512
2f63de892d0d757a2310ed5d1c59a8059b9a5fac9dc8c8f45c56b140d82e1009c9d25ff6a9ca9b27e571ee27e8a3329148f53a86cc73ef4a5384387526eb2cfa
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-