General
-
Target
MHFNV-AnyDesk.zip
-
Size
7.1MB
-
Sample
230315-jzfm2aeb7z
-
MD5
d823fc4cb1ca69045f306ba76720cc25
-
SHA1
e66efcc2ff0a5b729155adac25d36646497694b7
-
SHA256
fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750
-
SHA512
37ec7433645bfd88260ccb332a73dea6aedd0f1465bca322e4a90fede46468213186a227437ce075142e809d2b40d01267a546af5f2623ad185f3ca31f546f0c
-
SSDEEP
196608:IVvQZhCFrn0TKXb6Rxn9M8KMyc4k2cvBQxOKP+bX:XSrnCeY9Mdcz2ABQQKGbX
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
5.5MB
-
MD5
33614c059849aaeacaa68422b11a9795
-
SHA1
baf66bc7a279fcde9fa90708c153e06b89bb60d9
-
SHA256
25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e
-
SHA512
c211cfee30e6f3336a0d4aa8e44d91be4fb0399c2dc7d8a01b37d4264b44865c51037f5b6470f3aecd53cb551951132d80fbdba3b18fe0787cacd6166a66e5f6
-
SSDEEP
98304:cKYGKdACTgvV6qPvZpgvXM/N3qZBO0cY2YPGvhP0JGom5:cp86qPvZ6v6NH0l7PXm5
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
-
-
Target
tmp/ChromeSetup.exe
-
Size
1.4MB
-
MD5
38e7c79cf8fd1dc35afaa6706819d628
-
SHA1
257d60060f742c943e9981a30be6edc94262d844
-
SHA256
5ff2518d88344a100675488d86596aa57aea55df103d5b586a2b572baab6bff1
-
SHA512
acb7ff1fa0937b6be85cf83c459d17d750f546bf694be21f5704283fad655b9bc7406656415eff4b7db91c4887308674a59f21a84926925991347e955540cfac
-
SSDEEP
24576:Jw8KjKjGFygcc23L1/NVOmOSGb6E3ecS4fzrjxJh9UZXlpbPvC7xtYUrEmFlo+LT:PKjKWQc2b1FVgbjrjxPe1pbPSQm1FloS
Score8/10-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
-
-
Target
tmp/SpotifySetup (6).exe
-
Size
901KB
-
MD5
6b4411127459dc891fc2fdecbf02ad23
-
SHA1
b3904dd4f88ec6fce4f806eef1acad40c75e68b8
-
SHA256
c85f5e46a80bf8658245f7409318a3e1a6894c5de5cfe321c0b1edb13a5e81e4
-
SHA512
b075b9a2d6b6573627afcd4112da3cb081204169e59172f16de8c8ac7c7ad3a1ae809e9252c58094dbfdb16b9b48c1b032b18397acfc372fa0487271feee77c0
-
SSDEEP
24576:bL3ZLvFFzsZ1nMdwOySKcgwkPIBu9mI+kVluU:bL3lsfMdwOySKkkPIY9z+kXj
Score10/10-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
tmp/filmora_setup_full1083.exe
-
Size
1.7MB
-
MD5
5b293ce0c49329de880b71bb704e75e3
-
SHA1
c82db99df1f3e238fd1f489c8648a9afe82dcf4f
-
SHA256
ef44c8a411347ab85152769cd99a6ad5fe1d20005ea857f920eb2bb60c705ca0
-
SHA512
5d5d50d77b1e242a048ed7f78d82ad7c1fea78b6759afeda54764f92a77037b440c1f04d0a433a5f4e7760b6b165f09509e071793dfc93cd1972f49a04611743
-
SSDEEP
49152:nCuREYPAwUb+zlXxbeOzsByErzt/QH3TOu5+NSae6G4n:WwxbfzsTrzt/gwNu+
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-