General
-
Target
686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883
-
Size
3.0MB
-
Sample
220310-eg774sgehp
-
MD5
aba555a7e54895aa652cdf73e4a9c1a5
-
SHA1
30c3572cbbeb81815f73b425d410ce9d1c5e9b3c
-
SHA256
686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883
-
SHA512
f7fcee3972532a605554ce15614371b79c3a7870dc8e809593a46a9e51e817795f7f1b386c08731a346c04bdf01d1f8715290539aabf806eae24c5d3332d526a
Malware Config
Targets
-
-
Target
686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883
-
Size
3.0MB
-
MD5
aba555a7e54895aa652cdf73e4a9c1a5
-
SHA1
30c3572cbbeb81815f73b425d410ce9d1c5e9b3c
-
SHA256
686b8f21c35d25b40be1b589c4ae9687d5bdcd5c5c9394fe4f456ca800edc883
-
SHA512
f7fcee3972532a605554ce15614371b79c3a7870dc8e809593a46a9e51e817795f7f1b386c08731a346c04bdf01d1f8715290539aabf806eae24c5d3332d526a
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-