General
-
Target
ef532b7599eb9bf2fc0b623d8568253e528b0eb8f0d85e93240cb19f3a7319e7
-
Size
1.2MB
-
Sample
220520-3lc5jahba5
-
MD5
af45006bf0bbefe448cfa41eba239e0a
-
SHA1
b2941bda9cd76b3f6ceb7413cd01279108e09406
-
SHA256
ef532b7599eb9bf2fc0b623d8568253e528b0eb8f0d85e93240cb19f3a7319e7
-
SHA512
8f6049be06bd486a92404114f569f5c7b7e3cb0879ee37b8527f25eacb89856f9a1657786e2f78f4373ba3d5a6fd8b103474a9edecaea935a799bf0009654911
Malware Config
Targets
-
-
Target
RYBHRDEM.EXE
-
Size
730KB
-
MD5
ddcedc6c5eee7ab024355785fdb398d2
-
SHA1
56e43f4dd9981b10930561d9936d619a72e23a53
-
SHA256
242f7f6ffaf359eb1b04fdd6fb1dc116066341e80838cc0a9eb8683306a98e80
-
SHA512
4716cca6e425fee39e756c205ebe5729a6732f21309d11cf6e69ad67be5505329ea3bdfa5086b12e03adca22bd289059ef0cc73acc72ac4a91ce183dd301c3d1
Score10/10-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-