08f80851cddad7d6cdd737f0e8c0ed9154530f695548eecb4c1d8fb3a3ba6f8c | Triage

Sharing

General

Target

6ecaf3e8fcaa8967aefad83ec3b9158898c279a5
Size

3.4MB
Sample

230105-a1y2bsdf6y
MD5

c1323f2d118772f7f2773eedd2dcfb60
SHA1

6ecaf3e8fcaa8967aefad83ec3b9158898c279a5
SHA256

08f80851cddad7d6cdd737f0e8c0ed9154530f695548eecb4c1d8fb3a3ba6f8c
SHA512

231cad7fe3afdae1f8536306645670b75ef59040dd7dbbbfa653900dd7baa07cc996a3511f0098bc4ca066d7d3057bae34b9218e4eeadd51e42bcd7631a64ed5
SSDEEP

98304:4FyDg/iXxn7dv1zPm/EhvF/OlCzb5Pt08:4qBn751zPOc2la9t08

Score

10^/10

persistence

Malware Config

Targets

- Target
  
  unpacme/Bllfgyszs.exe
- Size
  
  1.2MB
- MD5
  
  b4bb8d5ebcafb7cc2681e17e3596649a
- SHA1
  
  cd7c93d59b53b54e8a3e24e065c9cc93c7101b79
- SHA256
  
  87e33a27066d4638c3aede2ef053462b8c48395de0dd8fc4087299628ff8e0fa
- SHA512
  
  9b4edd0cd365ca3d88ba786b258cad7310f8abe5d46dc261edc593fdf4a5a74e05c58d3ff1b7d3b76d10ef9890252d877e6a84212de08ab08018dcf3f06064b3
- SSDEEP
  
  24576:DBgfiF9Ctf4HCV6eQ3cfDmDjbSZ+/HAjZdMcj6Isc/:Db0tf4e6aDmDfgJbMcD/
Score

10^/10

persistence
- Modifies WinLogon for persistence
  persistence
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  unpacme/Newtonsoft.Json.dll
- Size
  
  559KB
- MD5
  
  9d6ec6072ee1814a4a01d1eb3fb67ba1
- SHA1
  
  d0b416de1c900b6bcb35dc182b2e8744f16c3289
- SHA256
  
  ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
- SHA512
  
  09b30ec790bd953d12ac6c1836fd3535a7b3005dc4f1a26aa752f50b36d1d074061e24e94c5fa80b1c2ad24e84087505405da50cac9a4250faa8ddd594b01f63
- SSDEEP
  
  6144:1cHfLcN/a4L/uhxq9UVFYHjL3VMsWn1s6QjRhF9gauyBuntfV+jPuxJ:1cTcVa4Lwxqc4jL3VKQjRhFjBDjPuxJ
Score

1^/10
behavioral3 behavioral4
- Target
  
  unpacme/Xgibxdxqilgiamhhnb.dll
- Size
  
  951KB
- MD5
  
  51a1125da3ba0952fcacf0fc89621411
- SHA1
  
  0f61ca1ea087eb74110d00a7b9992d36b3b615f5
- SHA256
  
  55ceeb61acfa728e7afaa2d73b09bc7e2a0604747a488c1166bf503ef5d50848
- SHA512
  
  1a944efc5fb06659dc6f31ee275220e1ab604e91ecc0da213fbebb53e3f679247e70c938d911a13c3ec9528c81c5ab8f49c98f125628dd3e8a4a7012b7ad66e6
- SSDEEP
  
  24576:pltXOzTHFTp8hur0WM8Rg1cAftl9R2c22dE:plt+zzhpABr8Rg1ttvg
Score

1^/10
behavioral5 behavioral6
- Target
  
  unpacme/_.dll
- Size
  
  1.2MB
- MD5
  
  f140daa3ab9de6b0df86790e72c753fa
- SHA1
  
  2e348396051370bd91c5a7d78f5ddbdd489f8729
- SHA256
  
  5abb6f4e060df768a22f3649cef5c47cd45a558bb55a636dc3353a8f5d24a5be
- SHA512
  
  0d9158a7d663f9156d03cad958bb6e314283bccfab1d8326c0cb3389141f1fecc1b0cb6ee443f3edb085f581552f02d0422a3193d634ffebe7f4d7bfc5213ea5
- SSDEEP
  
  24576:VBgfiF9Ctf4HCV6eQ3cfDmDjbSZ+/HAjZdMcj6Isc/:Vb0tf4e6aDmDfgJbMcD/
Score

1^/10
behavioral7 behavioral8
- Target
  
  unpacme/test.exe
- Size
  
  638KB
- MD5
  
  bcf49744ba4944dc810f4185ab8a9d50
- SHA1
  
  cf32e495575bee1e9382f7e4ac34674b9aec47b4
- SHA256
  
  ad313baf55b55cd37d1d7dc6db9a8d60783b77d187430c043b1e2fcf4ae6b064
- SHA512
  
  9307abb61485930e6008e930f71a6472ff2041202213edc580c6a06825d2d76519d0fa82e4250478dcfd12867ddbd9ca9e8c6fd553b0887e3fdd0e61cc7b988f
- SSDEEP
  
  12288:ksqQ30A60bBykAY/qmsz1TNetLiWMVbem8LPF:ksQwz/qm4N4LLx9
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral10 behavioral9

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10