Resubmissions
25-02-2023 05:45
230225-gfvxhacd32 10General
-
Target
tmp
-
Size
235KB
-
Sample
230225-gfvxhacd32
-
MD5
ebd584e9c1a400cd5d4bafa0e7936468
-
SHA1
d263c62902326425ed17855d49d35003abcd797b
-
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
-
SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
SSDEEP
6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Extracted
aurora
212.87.204.93:8081
Extracted
https://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip
https://evilextractor.com/wp-content/uploads/2023/02/Parameter.zip
https://github.com/tedburke/CommandCam/archive/refs/heads/master.zip
Targets
-
-
Target
tmp
-
Size
235KB
-
MD5
ebd584e9c1a400cd5d4bafa0e7936468
-
SHA1
d263c62902326425ed17855d49d35003abcd797b
-
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
-
SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
SSDEEP
6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-