General
-
Target
η»θεε².rar
-
Size
10.9MB
-
Sample
230429-gkgwfaaa24
-
MD5
c65b0e8e4e78468a519bad848691ff26
-
SHA1
4dcac9a2024acb975310eaf26c17aaf40d093fd9
-
SHA256
2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916
-
SHA512
585c3e967a50eda2b547e84d5c5207e67768ad283c2514daf2384843845813110a227c7e2b4f4458c1996a0c3cc3edae9019bf2868980b54e8b5d7811e054feb
-
SSDEEP
196608:6lR10VvZGfg/XCenZEH7coQlv90BfsEtUJ3FtE73jkzAKMwzMWHnNxgtHe45ixpd:6l8VRy42PQtiBfht2w7jkcQngtHD5g9t
Malware Config
Extracted
icedid
Targets
-
-
Target
η»θεε²/ε½±ζ΅δΉηπΉ (10).exe
-
Size
5.0MB
-
MD5
22ba843c2cfd43aaf712b80b40e8b4f0
-
SHA1
b8ea71676e0651b7d918a16473a030c1014b7ffd
-
SHA256
76dee725ec290d43a66d16054121085868030a2af49fb0c5affc471c50984bd7
-
SHA512
5fbae872c164e80ff042aca5d4821ff14c47f2889dce7557ee4d7a2f5a4d7a4ac7d183f3dfe6144e210fa1621080de874dd30f7a7827032ebe3ec935799f6ac1
-
SSDEEP
49152:NtErfhsOSMa1xYus4Q2D2TgG6hN3gSVsmqoyeBe4:NtEbfa1xNL2g3mrEBX
Score10/10-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
-
Matiex Main payload
-
Detectes Phoenix Miner Payload
-
-
-
Target
η»θεε²/ε½±ζ΅δΉηπΉ (5).exe
-
Size
1.1MB
-
MD5
98e247275859543e4f338a906b7a0e2d
-
SHA1
cbc75272194f9b96719635e5a1ad347e8aaeb972
-
SHA256
c4318f631e8c30ff72114876c9fb3e435941b5bf18ab969c53c26483e5699eb8
-
SHA512
04cd9e7fd6f36ccdb4fb64ec86fa5c38d2997849f7330c63bf0db4286cea2a8588600afdec8a56ade39c0e718d5e235e762757295e0e745503ebbb147fde1d9a
-
SSDEEP
24576:G2Bf9f3u+9UjIS1Nl1JPSAqn4HuuwOBJM12nYELdGCLE:G27f3kFaA6intW
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
η»θεε²/ε½±ζ΅δΉηπΉ (7).exe
-
Size
10.7MB
-
MD5
a090c26b4be46ffdf226a0b7a453f51f
-
SHA1
6a1743d359bef4ee18fdee6a6bf5199e69f07cfb
-
SHA256
bb93f0838f72a557c09e03593360e5458ab7d43921773d3961287a28201289ef
-
SHA512
83c90f4efff01cb84bb97030c84bac212b8b143723c7f1f3ecd3379000be85de3850d211519c2d429ebf4dba8b555c3a9a4c9a77f6ab856630907da681822691
-
SSDEEP
196608:/NQqSiD+bU2fbWzTRdtMQ4GraMTsGhbgOp4m:hmfqXtMQPravGh0Oym
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-