General
-
Target
PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE
-
Size
973KB
-
Sample
230213-nn4ypscd3x
-
MD5
76af89cc6f06552cf6815efa1b407161
-
SHA1
1bdab78ec87c979938c4fd4645961a061abaf80b
-
SHA256
f0e2be29b4f60291bb5e95eb8e23794502c74d7daff6754762ba486cf92f4c4f
-
SHA512
2e675e58a5ed9c8f9955b9c0135f754f2965d1d21611826b3e71a8288082a2573c586e901a800f304a2e93ee557657432aa02af990e63813cf470cb0de2356e9
-
SSDEEP
24576:PSzS0v+YHOtLnTtSnm0Do7BtQKft+pasie3G0iwUI3lN9nZ9GL0/+RA:x1/V+3B20TUGlPZ9GL1A
Static task
static1
Behavioral task
behavioral1
Sample
PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.brado-it.com - Port:
21 - Username:
pro@brado-it.com - Password:
wKqTRDAW8B%F
Targets
-
-
Target
PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE
-
Size
973KB
-
MD5
76af89cc6f06552cf6815efa1b407161
-
SHA1
1bdab78ec87c979938c4fd4645961a061abaf80b
-
SHA256
f0e2be29b4f60291bb5e95eb8e23794502c74d7daff6754762ba486cf92f4c4f
-
SHA512
2e675e58a5ed9c8f9955b9c0135f754f2965d1d21611826b3e71a8288082a2573c586e901a800f304a2e93ee557657432aa02af990e63813cf470cb0de2356e9
-
SSDEEP
24576:PSzS0v+YHOtLnTtSnm0Do7BtQKft+pasie3G0iwUI3lN9nZ9GL0/+RA:x1/V+3B20TUGlPZ9GL1A
-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-