General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.15082.27696.exe
-
Size
623KB
-
Sample
230112-d22qdsfa83
-
MD5
e423fed7291da95e8e3411844900336f
-
SHA1
a6dd49eff68c53b3f87c296d1ce89c4044e7375d
-
SHA256
40c951419b641cc741234b24dd9f959f44be33839de3bb81012af58a444211d5
-
SHA512
2715ea317ecf002adacd7bce9a26e70cfb0c13c4aae5a4f023a85f3f34f3272cab0abab139ddedff70584454832785c7542f040b1ba1b6317dae813cd4c96d9d
-
SSDEEP
12288:OcWJ+6nT8mlX+ve+5VApm7BAUw8pNPiVf2yg1ADX9rMIbyyjRc:OXBn1lX+22FO38pNPiljgMBxOyjG
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.16281.15082.27696.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.16281.15082.27696.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
marsstealer
Default
152.89.218.97/gate.php
Targets
-
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.15082.27696.exe
-
Size
623KB
-
MD5
e423fed7291da95e8e3411844900336f
-
SHA1
a6dd49eff68c53b3f87c296d1ce89c4044e7375d
-
SHA256
40c951419b641cc741234b24dd9f959f44be33839de3bb81012af58a444211d5
-
SHA512
2715ea317ecf002adacd7bce9a26e70cfb0c13c4aae5a4f023a85f3f34f3272cab0abab139ddedff70584454832785c7542f040b1ba1b6317dae813cd4c96d9d
-
SSDEEP
12288:OcWJ+6nT8mlX+ve+5VApm7BAUw8pNPiVf2yg1ADX9rMIbyyjRc:OXBn1lX+22FO38pNPiljgMBxOyjG
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-