General
-
Target
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
-
Size
1.5MB
-
Sample
230316-2fs35adb68
-
MD5
9b8786c9e74cfd314d7fe9fab571d451
-
SHA1
e5725184c2da0103046f44c211cc943582c1b2b2
-
SHA256
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
-
SHA512
9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9
-
SSDEEP
12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED
Static task
static1
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Targets
-
-
Target
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
-
Size
1.5MB
-
MD5
9b8786c9e74cfd314d7fe9fab571d451
-
SHA1
e5725184c2da0103046f44c211cc943582c1b2b2
-
SHA256
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
-
SHA512
9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9
-
SSDEEP
12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED
-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-