General
-
Target
excludes.dat
-
Size
187KB
-
Sample
220522-f3rb6affh9
-
MD5
5ca95841b2979a96453361358f6d860d
-
SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a
-
SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
-
SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
Static task
static1
Behavioral task
behavioral1
Sample
excludes.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
excludes.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
http://185.26.113.95:8095/batpower2.txt
Targets
-
-
Target
excludes.dat
-
Size
187KB
-
MD5
5ca95841b2979a96453361358f6d860d
-
SHA1
4088c98c806596008b62cd17d59e8c9a01291f1a
-
SHA256
fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2
-
SHA512
d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1
Score10/10-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets file execution options in registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-