8e1226ecf81fb863a95dfea31603172473ed8a5d301f185927732e4ae0066814 | Triage

Sharing

General

Target

FortiClientVPN-10_11.zip
Size

115.0MB
Sample

221216-tk2l3afa44
MD5

fee389057573b6496b3c2bdcd69102be
SHA1

a344e37e1045c780cad9681818056820980cd716
SHA256

8e1226ecf81fb863a95dfea31603172473ed8a5d301f185927732e4ae0066814
SHA512

a44afb6140e1d084616b54f40d21142d8b4f2fb82dedc9ab1e4a2a0fc18f18c1a05a167806b7a66a50c958d71cd207efd6551ce73535b07867ad927103b198be
SSDEEP

3145728:TNAOLDyOLNXhcrZOLmKiOL7OLUOLDOLjOLdOLW:TNfvir/KC

Score

8^/10

Malware Config

Targets

- Target
  
  FortiClientVPN-10_11.zip
- Size
  
  115.0MB
- MD5
  
  fee389057573b6496b3c2bdcd69102be
- SHA1
  
  a344e37e1045c780cad9681818056820980cd716
- SHA256
  
  8e1226ecf81fb863a95dfea31603172473ed8a5d301f185927732e4ae0066814
- SHA512
  
  a44afb6140e1d084616b54f40d21142d8b4f2fb82dedc9ab1e4a2a0fc18f18c1a05a167806b7a66a50c958d71cd207efd6551ce73535b07867ad927103b198be
- SSDEEP
  
  3145728:TNAOLDyOLNXhcrZOLmKiOL7OLUOLDOLjOLdOLW:TNfvir/KC
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2