f1e664c4ed84ebfc0f469d0dfea292e625bb7dac918ccc1c22999a491c3ad48b | Triage

Sharing

General

Target

f1e664c4ed84ebfc0f469d0dfea292e625bb7dac918ccc1c22999a491c3ad48b
Size

309KB
Sample

221124-axnq7afe75
MD5

28b756da4ec47d7f90ffbb6e8dbdbcad
SHA1

3b87ed6418476d592db6f57651a75d6862841da7
SHA256

f1e664c4ed84ebfc0f469d0dfea292e625bb7dac918ccc1c22999a491c3ad48b
SHA512

ebfd6422681cf08d11c7a34eaa6038cb680308309747e65579b668e0ddb16289d01700bcd7f3e247a28a2cf3383696264e14d57b672acc41fa3317ecfb71e268
SSDEEP

3072:+VHgCc4xGvbwcU9KQ2BBAHmaPx0VoIb5E+:fCc4xGxWKQ2Bonxs

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.byethost12.com
Port:
21
Username:
b12_8082975
Password:
951753zx

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Targets

- Target
  
  f1e664c4ed84ebfc0f469d0dfea292e625bb7dac918ccc1c22999a491c3ad48b
- Size
  
  309KB
- MD5
  
  28b756da4ec47d7f90ffbb6e8dbdbcad
- SHA1
  
  3b87ed6418476d592db6f57651a75d6862841da7
- SHA256
  
  f1e664c4ed84ebfc0f469d0dfea292e625bb7dac918ccc1c22999a491c3ad48b
- SHA512
  
  ebfd6422681cf08d11c7a34eaa6038cb680308309747e65579b668e0ddb16289d01700bcd7f3e247a28a2cf3383696264e14d57b672acc41fa3317ecfb71e268
- SSDEEP
  
  3072:+VHgCc4xGvbwcU9KQ2BBAHmaPx0VoIb5E+:fCc4xGxWKQ2Bonxs
Score

10^/10

persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2