General
-
Target
32e60467041b40146d87fc1c8c734f60f7e3763820e0c2a852a801c8afd1c7ab.100-200.exe.zip
-
Size
322KB
-
Sample
230309-jrm25sab6z
-
MD5
16df1b9e4e856392f38fe2de84e00a7b
-
SHA1
27d06a05232ee55f283d4b2c516cbbd97b9fdca7
-
SHA256
22ec3789a43ae3faca8a10530445617686dda2ea99d44c0bcf21ab7e795dc0ea
-
SHA512
4c9c2b959df54e4071efd15e76827bae63f089dc08416dc6f3b8b58cca9ef6ca101eaa15b69b7d0ae17c125cc1fd8e1d7dd0ca6b8820f197f712ec772f66f205
-
SSDEEP
6144:EJCMDG5XwwkWplDTDJQgtMRHztJzd8Asi9LEEBQSB1GjFc1VdYu/FmaRVmS5/Eb:EJfDG5gwNJuJzd8G7/GBc1fRFmaKSu
Malware Config
Targets
-
-
Target
32e60467041b40146d87fc1c8c734f60f7e3763820e0c2a852a801c8afd1c7ab.100-200.exe
-
Size
143.3MB
-
MD5
b0ed21aa62e33da473528fbc1ed159bb
-
SHA1
441a9c102b61ada34762ce015535c8510170dcf0
-
SHA256
312618f9617883ff91935c9407feb70603fd1f7d246db75ab3f129e267752aab
-
SHA512
086665d64d431975d9ba7e9532adedcfaf0ccc9c184c1fedc8fc1baa197c0f1080b78a160b89f84c875f3bffd74c70b24e0f2dbd35d29bb0fdec22d5bb38252c
-
SSDEEP
6144:/OsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1KEP:O814Xn0Ti8tbJyIQdjrfzQEP
Score10/10-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-