General
-
Target
b5e1e946ebad560b876703e9675ca326.exe
-
Size
308KB
-
Sample
230309-cneg9sab77
-
MD5
b5e1e946ebad560b876703e9675ca326
-
SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772
-
SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130
-
SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1gEP3:i814Xn0Ti8tbJyIQdjrfzWEP3
Malware Config
Targets
-
-
Target
b5e1e946ebad560b876703e9675ca326.exe
-
Size
308KB
-
MD5
b5e1e946ebad560b876703e9675ca326
-
SHA1
c0e2e24a911a4d8e9cbc5a483ef8876fbabfa772
-
SHA256
c33ecac87bf07fc75b6768b76622daac389e05ef718c457e0393238d646bb130
-
SHA512
8ee9e9af2731eb83af3f17aa19b9a74547429f026882fb6d592d74d97ed958f990f46c5be5371e06360503672e9f8ca00ccf9d64ed59d11475c86a6f35ac1ff5
-
SSDEEP
6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1gEP3:i814Xn0Ti8tbJyIQdjrfzWEP3
Score10/10-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-