Overview

overview

10

Static

static

9

nalog za kupnju.exe

windows7_x64

10

nalog za kupnju.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    132ae8aa700ef41385e1928d50b1feda6f95f18a5b6ad22f275c9c6de13c7deb

  • Size

    780KB

  • Sample

    220521-dztl1agfa5

  • MD5

    e7231b4857a5c68156f3f93ffadee1fd

  • SHA1

    21e156eaef77640fa14d2bd38ff5112ded39327f

  • SHA256

    132ae8aa700ef41385e1928d50b1feda6f95f18a5b6ad22f275c9c6de13c7deb

  • SHA512

    32b6445e8488e5996ce57c2e8292dce4456174a5608d91d4852238abacf8300ae6060a4bf94de4d13aac42cb171ee6e963f8f71fdfe256af74aeca8cbe210cc2

Score
10/10
coreentityrezer0

Malware Config

Targets

    • Target

      nalog za kupnju.exe

    • Size

      814KB

    • MD5

      1f107e0e93b99040bc5776653b7f2652

    • SHA1

      d8f3b43e4d6cf83173180e297215b7951f6aa185

    • SHA256

      9d5a194bc2e43c2e391ae84647afc17ade46bae8497c86edd83107b462fd68ef

    • SHA512

      d74e4c65add5eaca4d4509eeb3c0390ebfa3f6029326a25417cb87dc17062fe3e79259a354f06c3290e2898b4e9dd7d84728838c82f1ec79cadc833453e80943

    Score
    10/10
    coreentityrezer0

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • CoreCCC Packer

      Detects CoreCCC packer used to load .NET malware.

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks