General

  • Target

    eaf978fd469c4acc54a1b4cdaa4298c04b385b0cce10215f96a737b26a27fd30

  • Size

    308KB

  • Sample

    230306-gb719sad3t

  • MD5

    24527c1cb60027d91ddc051990ba55ca

  • SHA1

    6f55efac879c92f116ab73ccd431c898c6f794f9

  • SHA256

    eaf978fd469c4acc54a1b4cdaa4298c04b385b0cce10215f96a737b26a27fd30

  • SHA512

    cbf0dab2eb7e3b44359db887a7441459a49575faaab0cfec6ddb67b43957391510fb7a0beb63098c3d826c96c91fff284e726c16284f70128b7cd577d30ee11e

  • SSDEEP

    6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1mEP3:i814Xn0Ti8tbJyIQdjrfzQEP3

Malware Config

Targets

    • Target

      eaf978fd469c4acc54a1b4cdaa4298c04b385b0cce10215f96a737b26a27fd30

    • Size

      308KB

    • MD5

      24527c1cb60027d91ddc051990ba55ca

    • SHA1

      6f55efac879c92f116ab73ccd431c898c6f794f9

    • SHA256

      eaf978fd469c4acc54a1b4cdaa4298c04b385b0cce10215f96a737b26a27fd30

    • SHA512

      cbf0dab2eb7e3b44359db887a7441459a49575faaab0cfec6ddb67b43957391510fb7a0beb63098c3d826c96c91fff284e726c16284f70128b7cd577d30ee11e

    • SSDEEP

      6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1mEP3:i814Xn0Ti8tbJyIQdjrfzQEP3

    • Detects PseudoManuscrypt payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks