General
-
Target
$RDUQK6W.exe
-
Size
10.5MB
-
Sample
230412-n6gk5aca73
-
MD5
4a5a3ad1c74f3f7d525e1c97995ca649
-
SHA1
cc0548dcbf4c0bc4489529e9148cf9f921485e84
-
SHA256
19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
-
SHA512
fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
-
SSDEEP
196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV
Static task
static1
Malware Config
Extracted
allcome
http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=Raqxnd
D7pq84u7ke73RmCkRPc1z2nKBfmfPrYLxM
rEPri1dB2B6TxxzBw31ihKwGkEEE3ZCzH2
0x379844563B2947bCf8Ee7660d674E91704ba85cc
XqcVZ9pP5YyEwfQ4RkVXC5mWZgQBY3qNNz
TT5o47UN2jDfvmbv7EQm8NZ3xw7NcpKhKB
t1Qc898xYxqJ2Vsrd2X15EA3L2QzNrCdZ6W
GB3TZL2PBSQOQAEFU57JPIFAXG7R73ECOSQGT3XCDCOAUGUWUKWAVO7H
4AqLHHmtMTQRWomEbPd8yxFdEsZ5VMXy1MvwhG1TTWgcCbGzgaAcfkA54K45UbQXjtBa3UYhmr8vYaGNGAkVTfXCE5bbT12
qrkkg7692gv3fz407lt8zxdxtx2d4zuf2q204ykdzn
1NipSzEWByjXUarhF2p3qq51MVbnnoo6HZ
0x08BDb0e0339E7B9A725FD665Fc17B3AA3FF73BFc
LQtxqhZWP3EDi9n1tVdKNyZVR6wrFRr7hN
+79889916188
+79889916188
+79889916188
LP1oSHdQ3kdgrWnPvB5XtuBLZaMq9JMoWt
ltc1qq5k32ja0yun36ydqhv6edd8ydpmfkfy6g5e994
bc1qngt9pchlwak6rzc37ez05sfhzr8dnyupu7e769
bc1qnx4g8m8lctzxm5wlcfpw2ae8zkf6nxerdujzuu
89CBob8FyychG8inyWBBhqUxbPFGzVaWnBZRdeFi8V38XRRv312X6ViMPxCuom3GKk8hLFmZYmTPQ1qMmq6YY8rCNCDeubb
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Targets
-
-
Target
$RDUQK6W.exe
-
Size
10.5MB
-
MD5
4a5a3ad1c74f3f7d525e1c97995ca649
-
SHA1
cc0548dcbf4c0bc4489529e9148cf9f921485e84
-
SHA256
19b66b877aa9324a2e9a51d828e1cab41b553070d37729096c555a7f1810fbb3
-
SHA512
fbb94f6b670fbd6e32ac71b97cfe00d3c67a9747e1e4192ad1889bd8cf121b1b3bfe6e9fa0d4ba8634b5a8431b84c4ba7b3800bb6e128ce9ad759f952ac875b3
-
SSDEEP
196608:OXBAqsvidH8HkLOogdmCvl6SsT2bygeHHNc8zKiSKu5GjY2+rZvPTetsi0ERHblh:vidcEiJtNUEMH6kXYj5etb0qHblVFV
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-