2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.zip

General
Target

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.zip

Size

6MB

Sample

220518-a971labcf9

Score
10 /10
MD5

1f3c765913617a01d4954e13142589e8

SHA1

28269a052b131d1455c2e194037be1fd3b29b91a

SHA256

2917d37a1531a370ed83705fac885ab8aa568886a326cf6233073436bdd2585e

SHA512

5f0db96856854ea4ba62596f1114ec3958f259c669915f32fb4411f7959ccf4436760d7d63ca25f0f50dee0463cf13740bf7df0d4ce9414eedfdf24c02181d74

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://supportnimbuzz.hexat.com/3/Att.jpg
Targets
Target

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe

MD5

5f9e61796a21e65f9a03f92ee6a8f6d8

Filesize

6MB

Score
10/10
SHA1

d6032fd04db0fbb6195b6e8d31491a3fc289f1ce

SHA256

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

SHA512

402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Tags

Signatures

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

  • Drops startup file

  • Loads dropped DLL

Related Tasks

behavioral1
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Tasks

                        static1

                        8/10

                        behavioral1

                        10/10