General
-
Target
LibreOffice_7.4.3_Win_x64.iso
-
Size
300.4MB
-
Sample
230118-zgc27aeb3y
-
MD5
66ae323248f582a0ef7a590bb9ad422b
-
SHA1
ad17216df815e090b5f74f121571eeca29470a4d
-
SHA256
577e892d1297665f413336b2d84793e4f62e578a723b0b47d688983f9cbe64a2
-
SHA512
1488a34737fe0e38cb703a64da2c4818bcd4477852837110117271bca047fd8209a680513036ef57e43e30d0ae1622a2ae646d7ecfd694ae5c5492b06ad99ba1
-
SSDEEP
12288:0bCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjFww43vmOC:Mbww4fmOa6IglK
Static task
static1
Behavioral task
behavioral1
Sample
LibreOffice_7.4.3_Win_x64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
LibreOffice_7.4.3_Win_x64.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
aurora
79.137.133.225:8081
Targets
-
-
Target
LibreOffice_7.4.3_Win_x64.exe
-
Size
300.4MB
-
MD5
2bec9909801a6b076ed39f92014b0ea7
-
SHA1
7d1b3911ea2c34a04f1fef879f734cb956267c98
-
SHA256
927faca66d91e772d4f89c84de39b7a02132fb088a97b56056911f0e0f18b026
-
SHA512
0cb4b1836e5c781a0bc175f799b3427be0bb5bba859ebcfbf5f5e1225ceefa82f40cae08b032e1601515698a4620b12f0e8e76f1fa98f68432992a871dfabb60
-
SSDEEP
12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjFww43vmOC:mbww4fmOa6IglK
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-