General
-
Target
Lorex.AdluminInstaller.msi
-
Size
6.5MB
-
Sample
230510-wzv4yahg24
-
MD5
ba9f849e3c6e57316548367f0f6a444b
-
SHA1
34b80863cddfd512be800f366f282eb58fdfc640
-
SHA256
dc2c8c8369c3dee48feb6b43b5467f22e6a0c939257207828104ed8d94b154d2
-
SHA512
93c324b2849e9642de25370d3e73f246384f00c2ef49c2d624f495447b856e4a74911066779650a35249bd8518cf4b4944c168982c3613f29f6a9405b74aa21d
-
SSDEEP
98304:ZiWF9TZpfEK0lk5xmY7aRGm7XCiiQO95anWA25u2tEYjTMy5rp5WpiSvv:r91pSlkqFGICii15HrgYjTMIrfWESvv
Static task
static1
Behavioral task
behavioral1
Sample
Lorex.AdluminInstaller.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Lorex.AdluminInstaller.msi
Resource
win10-20230220-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Extracted
formbook
4.1
m82
jamesdevereux.com
artificialturfminneapolis.com
hongmeiyan.com
lojaderoupasbr.com
yit.africa
austinrelocationexpert.com
saiva.page
exitsategy.com
chochonux.com
klosterbraeu-unterliezheim.com
byseymanur.com
sblwarwickshire.co.uk
brazimaid.com
ciogame.com
bronzesailing.com
dwkapl.xyz
022dyd.com
compassandpathwriting.com
alphabet1x.com
selfcleaninghairbrush.co.uk
power-bank.co.uk
kickskaart.com
baumanbilliardsnv.com
bestcp.net
doghospitalnearme.com
mixano.africa
helarybaber.online
illubio.com
ciutas.com
ldpr33.ru
killtheblacks.com
cassino-portugal.com
danhaii.com
gvtowingservice.com
let-travel.africa
dental-implants-67128.com
facetaxi.xyz
ctjh9u8e.vip
kyosaiohruri.com
executivepresencetrainer.com
greatharmony.africa
feelingsarereal.com
devopsuday.club
happiestminds-udemy.com
fittingstands.com
happyhousegarment.com
24daysofheaven.com
herhustlenation.com
xn--oy2b27nt6b.net
hothotcogixem.online
hausmeisterservice-berlin.net
hjddbb.com
stoutfamilychiro.com
bookishthoughtsbychristy.com
gibellinaheartquake.com
8cf1utrb6.xyz
patrick-daggitt.com
ebcbank.net
angel909reviews.com
arcteryxsouthafricaonline.com
cutematvhy.com
art2z.com
bulkforeverstamps.com
heatbling.com
despachocontablequinsa.com
Targets
-
-
Target
Lorex.AdluminInstaller.msi
-
Size
6.5MB
-
MD5
ba9f849e3c6e57316548367f0f6a444b
-
SHA1
34b80863cddfd512be800f366f282eb58fdfc640
-
SHA256
dc2c8c8369c3dee48feb6b43b5467f22e6a0c939257207828104ed8d94b154d2
-
SHA512
93c324b2849e9642de25370d3e73f246384f00c2ef49c2d624f495447b856e4a74911066779650a35249bd8518cf4b4944c168982c3613f29f6a9405b74aa21d
-
SSDEEP
98304:ZiWF9TZpfEK0lk5xmY7aRGm7XCiiQO95anWA25u2tEYjTMy5rp5WpiSvv:r91pSlkqFGICii15HrgYjTMIrfWESvv
-
Formbook payload
-
Blocklisted process makes network request
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-