General
-
Target
D355C4841E3EAAC57D849EBB20B976AB3D9A8A2A12D93.exe
-
Size
1.2MB
-
Sample
230507-hz9qfacf32
-
MD5
7022efdc7290b59496df738f10ff2af8
-
SHA1
c8010e7eefa1d6d58b48e23178947a29b8dd6649
-
SHA256
d355c4841e3eaac57d849ebb20b976ab3d9a8a2a12d93ae6704fcc681241c785
-
SHA512
3e82c0cabcb0ea955456bb2d28b7585f3d0bfd3be97ccbd1c4fa922932637161e65df2723b8c5853dc39446cdeb78c040ae1efb202ab6823e52238b50cd553ab
-
SSDEEP
12288:NbbbbbbbbH77777777YazjkAame5Ug5lYjbbbbbbbbH77777777rioJY:CKkAT2P5SiV
Static task
static1
Behavioral task
behavioral1
Sample
D355C4841E3EAAC57D849EBB20B976AB3D9A8A2A12D93.exe
Resource
win7-20230220-en
Malware Config
Extracted
pony
http://ranmabo.tk/no/gate.php
-
payload_url
http://magic-skid.com/shit.exe
http://skid.com/calculator.exe
Extracted
lokibot
http://matbin.com/doc/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
D355C4841E3EAAC57D849EBB20B976AB3D9A8A2A12D93.exe
-
Size
1.2MB
-
MD5
7022efdc7290b59496df738f10ff2af8
-
SHA1
c8010e7eefa1d6d58b48e23178947a29b8dd6649
-
SHA256
d355c4841e3eaac57d849ebb20b976ab3d9a8a2a12d93ae6704fcc681241c785
-
SHA512
3e82c0cabcb0ea955456bb2d28b7585f3d0bfd3be97ccbd1c4fa922932637161e65df2723b8c5853dc39446cdeb78c040ae1efb202ab6823e52238b50cd553ab
-
SSDEEP
12288:NbbbbbbbbH77777777YazjkAame5Ug5lYjbbbbbbbbH77777777rioJY:CKkAT2P5SiV
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-