General
-
Target
AEE6E7C7266A285B58C757631A62A74117D4958B0FAD89A2368FF4B1CA53BA4E
-
Size
179KB
-
Sample
221123-r2tlnsab87
-
MD5
1f99d93b4dbd5b918f438839205dd209
-
SHA1
5a3a92e07a8b9f2f64b4adba2b9dda77cfc89af4
-
SHA256
aee6e7c7266a285b58c757631a62a74117d4958b0fad89a2368ff4b1ca53ba4e
-
SHA512
c63111bfaab91af1ede3d9c223e7ff0d84e9ffa73eb69d4e5cf02c2991218784ea58fb2ed5f8768b23ba7c435ef03c4d620184f882fe183733c2239c6aaa9f15
-
SSDEEP
3072:JqiOwAk53a6sJbU4X7yNnLIpssSydwU8VbzEbAobsfSliJ2b7H:Jv3u2pLassSX5VXE1bsDJ2b7H
Static task
static1
Behavioral task
behavioral1
Sample
Attached Invoice_72_1421 DOC.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Attached Invoice_72_1421 DOC.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
formbook
pfgc
hBGNx7LOg1/1V9He6Lr1odiL8A==
JUtMWPUI+jYE3h2D0VXJrkViyWlklw==
9Onb+iNxE//TbnVsww==
+zlULMoiC8l+8Tev2wK6Xpt3qkQ2
vv/ckxYzTsV3W3KwMKjDf1rK+A==
fiNtn8AUmEDcSGooP0OzpNX0
Vo+DIT5uE/PEbnVsww==
JzMzXJDojoBk5EcxFTKznOD+
hxRyvNTzW6eTCQ==
/CcTv23E93dcQXf9RUb+
n6ODTfEg31QE9F0=
V9k3j8Pew4FJqasspfOBQNk=
mq+vfSOVMzCmhwN1wUeUUME41Pw=
1frRhiXBVRSqDTLo46vXXNc=
WP9xcxRKdPLGtCeZ8VMcCsA=
dIBJ53JHoTO5
tlakzPSKiYl02hJYqJQdC8I=
EiPtnEnwhz/bMaJp+a0cj8g=
s7mOSbbN8GbPM3von61MR8E41Pw=
HFhN1/bX7Umz
S4VoSwNOfLM4L2aYAVMcCsA=
5xsGdOJ+/oscfQX9RUb+
bPtbgYoUBQeWb+WL0stwuQ==
4fHkCCmtxNbi3VU=
Uotm8ESrxdbi3VU=
JUMx3n3nmROl
6gXnjk71mlTvZX79RUb+
2hIAe6jOQLqzDw==
Nbfy14/A41tDNHX9RUb+
eYVVL98GL6dsb5XUQig2rg==
zea5cfkdQLFeUoGzJaXro/UmmeU=
DyX1pyBOiQO43g1/HSv2
J70PEbrO6m9QLWv9RUb+
GcYeOqjhCEZSLVu4dW8=
SUIwry+AogLOAhja
0nnnEhHApy377Fc=
nyW4DkehU0j+aX79RUb+
nZ1zFMgRLWpJm0I=
z82zJj+J4uSWBmCp2w==
Y1c6sCK3JKM4rkJAQig2rg==
KjMFh52jPCo/YYyiXmY=
gzaEu7PcR4NovU0=
kqN5MqcelQGt2wjI
c4pnBSffi8OuFw==
IXwd/cDdR4NovU0=
Rb0eKuMF9ifCqjPgjy9IvPeszoLd8L/C
bYeLRN4wXuuF6E81DSqznOD+
J1lL3QIji8OuFw==
IC0PuVz8nVfcQ3H9RUb+
/6sEZo6iHL6Nx/XC
ynrW6geniBLUsQfMtsCopqTd8Kzdi+GSVg==
vEfbHR87i8OuFw==
4xL6c/BfWg+k
+5XtPaCwpshXPbw6lzqUUME41Pw=
GcopQG8TLHVNO3X9RUb+
j5CHIUJgCwndd4WAy1gj75Lp
6439Q1x5ICnhm+YuzA==
R9BLcxJklb0xGV1ZoCIfovEtouU=
RLc6fZg0TpE1GTBc8l32qw==
oCWW2tkRiAfo0y2X9VEOicPelfQ=
+AnXbwluHc/KbnVsww==
J1JA99dAsSQKAiAoGyn2
9Y/XASV2RIYkGEgwQig2rg==
Nm6KY/9fWg+k
wooklabel.store
Targets
-
-
Target
Attached Invoice_72_1421 DOC.exe
-
Size
245KB
-
MD5
13940ca97783f75831c3f0a72c59ec53
-
SHA1
d0bea9d294ab885228296157122414eb372f5a56
-
SHA256
810b8a39783409f1b3f56e78d764a5abda68ff7bf08ae721ba798934568db7f3
-
SHA512
e9169747a0c4f9c90bba3fabe3d71b4985410e221be37c6fe31c2bbec4a50299d3a4dd2eaffe087b65b6a70c857be127683e78fc685ce5868ddcb4428a4f78bf
-
SSDEEP
3072:3LfVxlyEZfp9zIzjBlLetfKhoewsEvTnL+pssSWdwU8xbtEbAqPsfSliJx:btXZXPzd5vrL8ssST5xZEBPsDJ
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-