General
-
Target
file.exe
-
Size
1.4MB
-
Sample
230320-w4w7sseh39
-
MD5
0de84a66b983d2f407390473dd1e37de
-
SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b
-
SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969
-
SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94
-
SSDEEP
24576:m3Bdco8g+Jw+uIWdSNmppQIAni/mqjGYqXGkICzZ+apKOiz4GvaG/9jhNpNbWOAD:sxpxIGJppQIAni/mqjGYqXGbuZ+apKO/
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Malware Config
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Targets
-
-
Target
file.exe
-
Size
1.4MB
-
MD5
0de84a66b983d2f407390473dd1e37de
-
SHA1
21de93ab0f4e6706403e0bd3167be9aa8178018b
-
SHA256
e8f0e3fe795f96909d2ce54434a20f0c87a8bde815e790a7de9fd48b7eb11969
-
SHA512
37fc3f31dbb2721565c56974638e483cf3700779b4bbe324c26dbf4f45721211516b041b519b63bd8feb653b8b1de6bda8c52736085f72ff597d5fcb8d839a94
-
SSDEEP
24576:m3Bdco8g+Jw+uIWdSNmppQIAni/mqjGYqXGkICzZ+apKOiz4GvaG/9jhNpNbWOAD:sxpxIGJppQIAni/mqjGYqXGbuZ+apKO/
-
Detects PseudoManuscrypt payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PseudoManuscrypt
PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-