Overview

overview

10

Static

static

1

b9a81253d8...ab.exe

windows7-x64

10

b9a81253d8...ab.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a64c4c4083e817d1b75536c30dd0ce5e.bin

  • Size

    156KB

  • Sample

    230224-b41j1abg4w

  • MD5

    501d6a738598dd3d2f0dec8327e6dee0

  • SHA1

    0aba4f11385e3cb4f823a6bd4b9e9ffd6a4416e7

  • SHA256

    e708c9dd06084c5c9f0c9a006bb12c484a155358001cea5d990f85519fdf56d9

  • SHA512

    4c95ae8651443b04c204c9541054ccf7e78b9f5a5d3dd231747ea57b60a751aa397c1c8e38835c556d8333e072a1a1e068b16f2bf9ddf167914985b4bc550b68

  • SSDEEP

    3072:WXM4hnHxnDAjHqn5yRZKtSErmSHaqgEpIUudnDwvLdMnU4NfU+AMU+LSMlphMcd:WX9hHijHqERZo6s17udn29/ktlphTd

Score
10/10
pseudomanuscryptloader

Malware Config

Targets

    • Target

      b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab.exe

    • Size

      312KB

    • MD5

      a64c4c4083e817d1b75536c30dd0ce5e

    • SHA1

      a4667b3ae9b83bc12f9d53543c41783b343afac3

    • SHA256

      b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab

    • SHA512

      fa39341ae0d245459174707c4dfd5fa4830e26eb7b58a1c81395977a27536ef1813bc42c2536556901a8a9cb238bd88b081df602f4d2a5242c95320d55d80d8f

    • SSDEEP

      6144:E4PWLN3m+XeeqeO0UQeQ8KbLVHqAQg5jIQs8EPn:6aeqeO0UQB8KFHqAY8EPn

    Score
    10/10
    pseudomanuscryptloader

    • Detects PseudoManuscrypt payload

      loader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.