General
-
Target
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
-
Size
196KB
-
Sample
221128-ndyzpshh86
-
MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8
-
SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
-
SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
-
SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
SSDEEP
3072:4JDzxTsqJF1teLemzoOkZKeXJ5F6P1A3Cg7ByvOpLTvNaJS7X9hkg:2DlTsqz1teHzOsEn0P1qCwB5NaU7X9h
Behavioral task
behavioral1
Sample
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
pony
http://5.39.8.194/~login/sam/Panel/gate.php
-
payload_url
http://5.39.8.194/~login/sam/Panel/shit.exe
Targets
-
-
Target
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
-
Size
196KB
-
MD5
7cd3259d6dcfc8b1eff9c35de1b9bbd8
-
SHA1
bc0b4234f5e014ccc8ab8dd6cb626b0aa0c79207
-
SHA256
0ce94d61b27f500722a3389c88600f631ef03b03b78ff798474c8f45798f62fe
-
SHA512
1c1c264f7f6fa01db1bb31fef3d829dc61e604388adcb9b8ea0c0cd6bf6b4a65e2c25134e6cecc0bd67f96f46897705cd69b980d5ae6f67d53c5d6656d69d4c8
-
SSDEEP
3072:4JDzxTsqJF1teLemzoOkZKeXJ5F6P1A3Cg7ByvOpLTvNaJS7X9hkg:2DlTsqz1teHzOsEn0P1qCwB5NaU7X9h
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-