General
-
Target
Thunderbird Setup 102.7.1.exe
-
Size
51.3MB
-
Sample
230203-zx3yjsbc38
-
MD5
84ba48f2552df6fde2c652510066bdb3
-
SHA1
aba83eced9fc26786e82857c413eaed8f9cc0fe7
-
SHA256
0097a6bdac122bd4eeea03142b319b96ed3977dac703d78ee98241c43bc2c2c0
-
SHA512
1ac079420b40bb24b2d703562aa632dddcc0dfbff95f3993559ab674f5dfa5ffb0837b63807ac7e0e46f5c244eb5e15dd65adc784817be972f333faa30547ea0
-
SSDEEP
786432:pZPTL7jZwLJ4SKREbNWWnKD2I5cMSWUKca5KWP1:pNjZwLKSKa22ucMSdKcasWP1
Behavioral task
behavioral1
Sample
Thunderbird Setup 102.7.1.exe
Resource
win7-20221111-en
Malware Config
Extracted
aurora
79.137.133.225:8081
Targets
-
-
Target
Thunderbird Setup 102.7.1.exe
-
Size
51.3MB
-
MD5
84ba48f2552df6fde2c652510066bdb3
-
SHA1
aba83eced9fc26786e82857c413eaed8f9cc0fe7
-
SHA256
0097a6bdac122bd4eeea03142b319b96ed3977dac703d78ee98241c43bc2c2c0
-
SHA512
1ac079420b40bb24b2d703562aa632dddcc0dfbff95f3993559ab674f5dfa5ffb0837b63807ac7e0e46f5c244eb5e15dd65adc784817be972f333faa30547ea0
-
SSDEEP
786432:pZPTL7jZwLJ4SKREbNWWnKD2I5cMSWUKca5KWP1:pNjZwLKSKa22ucMSdKcasWP1
-
Babadeda Crypter
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-