Extracted

• • Target

    ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059.exe

  • Size

    396KB

  • MD5

    8786b658cc8531383511362b788f8f1c

  • SHA1

    58da30ee843e7d5f51bdacca1ea495b84a7678fd

  • SHA256

    ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059

  • SHA512

    d99b28db09067135359de87244a56d039399591d29c0bcf8c7d2163f934a938c4248239d87fcb6e99b9f0bce7132e95d0581ae32e73603af489f8b1444a44f5f

  • SSDEEP

    12288:iQi3Qa6m6URA3PhNOZm2K7YOY5p2tpNnnTIg:iQiA5hhVFf4y3Tp

  Score

  10^/10

  gcleanerpseudomanuscryptloaderpersistencespywarestealerevasion

  • Detects PseudoManuscrypt payload

    loader

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Checks for common network interception software

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of SetThreadContext

  behavioral1behavioral2