General
-
Target
Software by Yuki.7z
-
Size
700KB
-
Sample
221015-htm99afchp
-
MD5
1b4e8165469c5083ea0bd6036f775049
-
SHA1
fc73089984b8a187708662ab7a39df8abe309790
-
SHA256
6c0f3aa39fc7bef58cc439ebba5d0c1aaccd2afb83e933a9c4ceca770815e6cc
-
SHA512
020b12ce41010344220fb1622691809fcf9d0959cd9722ecc13dd9f256bd341a6c880a1b08a2506d781d7447b14bd6dba48bb0f3a269c3db1d72ddf0a3a4b31b
-
SSDEEP
12288:BExnsFWjBPkiOv30q23a3M3nuLohKMZhDDf9u8arx/bfUUAr4XtK97uMZ:BExnsFWjBP540qWa8XiohfD88aFgLsk5
Static task
static1
Behavioral task
behavioral1
Sample
Software by Yuki/Setup.exe
Resource
win7-20220812-en
Malware Config
Extracted
vidar
55
1325
https://t.me/truewallets
https://mas.to/@zara99
http://116.203.10.3:80
-
profile_id
1325
Targets
-
-
Target
Software by Yuki/Setup.exe
-
Size
393.5MB
-
MD5
f25e9e7f9434fb9d9483ded8812725c1
-
SHA1
3fd861e8c065093f4bdd5d3f757879fd3646e0ef
-
SHA256
ef532ad2dff5f28f90316873f41d051a37e3c9f6936a49b0960ad276a841c0b7
-
SHA512
c3c5c2f48b3046477649a9b16118a7011a245c6a29a9894c555df4eec266a6c3da7373469cebf0ab2c4148f993b6be4dae585c946de48d3caf29491213e1ed14
-
SSDEEP
12288:8lulBqFApXSkfa9CL5gKPPkYOFuD+dIwBM1imR21Ov:7lBKApPa9CDk+KdIJ1PRYQ
-
Modifies security service
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-