General

  • Target

    file.exe

  • Size

    752KB

  • Sample

    230323-s22sqaae6y

  • MD5

    7429ee8b83fcbb48fe5b383a6235ac1d

  • SHA1

    f225f686fe9027eb2527bc945895fead79e67926

  • SHA256

    59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32

  • SHA512

    4764bbc74a06f55f755a28490f1490233f50655dee568edfcf8a11dd20105841cd84e64ce134a95f9c99907a8d537f56fc60b466c97512a16dbbe6826efa30a9

  • SSDEEP

    12288:VQi3IG+zy2Rc6m6UR0Ipp1hf39Wkv8xwJA:VQiYG+zy2RzHIppdUMA

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      file.exe

    • Size

      752KB

    • MD5

      7429ee8b83fcbb48fe5b383a6235ac1d

    • SHA1

      f225f686fe9027eb2527bc945895fead79e67926

    • SHA256

      59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32

    • SHA512

      4764bbc74a06f55f755a28490f1490233f50655dee568edfcf8a11dd20105841cd84e64ce134a95f9c99907a8d537f56fc60b466c97512a16dbbe6826efa30a9

    • SSDEEP

      12288:VQi3IG+zy2Rc6m6UR0Ipp1hf39Wkv8xwJA:VQiYG+zy2RzHIppdUMA

    • Detects PseudoManuscrypt payload

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks