General
-
Target
56BB12A6340433549F0B0AE8088579316758F696F9978.exe
-
Size
769KB
-
Sample
230318-sra71seg5s
-
MD5
e663dcfeeeeb1022f1a3d59245a8636b
-
SHA1
085286bb3cca649ff9fdda29091acdd7a99f6e06
-
SHA256
56bb12a6340433549f0b0ae8088579316758f696f9978659211c17119a061f5b
-
SHA512
8e7a493d2b65211aa5aeb3b446594b5a9dde196a8458d1bcc116d517b0cfc87f431916554af53ca27e34e3c634f517cb035cba9c624b0c8ab303b61e83ecc856
-
SSDEEP
12288:T4LxRrXEygj9EtIomPZWk1l2zFOkb01Zg76+esTCm5xi/LTa3:T41RrXE5EtIoMbEzFOkAXgX2m5xJ
Static task
static1
Behavioral task
behavioral1
Sample
56BB12A6340433549F0B0AE8088579316758F696F9978.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
56BB12A6340433549F0B0AE8088579316758F696F9978.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
pony
http://www.egoprofumeria.eu/temp/gate.php
http://twiste.com/mddy/gate.php
http://www.egoprofumeria.eu/sample.scr
Targets
-
-
Target
56BB12A6340433549F0B0AE8088579316758F696F9978.exe
-
Size
769KB
-
MD5
e663dcfeeeeb1022f1a3d59245a8636b
-
SHA1
085286bb3cca649ff9fdda29091acdd7a99f6e06
-
SHA256
56bb12a6340433549f0b0ae8088579316758f696f9978659211c17119a061f5b
-
SHA512
8e7a493d2b65211aa5aeb3b446594b5a9dde196a8458d1bcc116d517b0cfc87f431916554af53ca27e34e3c634f517cb035cba9c624b0c8ab303b61e83ecc856
-
SSDEEP
12288:T4LxRrXEygj9EtIomPZWk1l2zFOkb01Zg76+esTCm5xi/LTa3:T41RrXE5EtIoMbEzFOkAXgX2m5xJ
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-