General

  • Target

    a5ed8f34dd77eb45dbc30306adccd4435273de45f5c78b18fc9f8653f4167bfa.unknown

  • Size

    18KB

  • Sample

    230519-drd7cadg6z

  • MD5

    7b37c4579a80d362ce580687ed2aaf10

  • SHA1

    84a7c93a2b215172c9603f140ec1540b2d5a0edd

  • SHA256

    a5ed8f34dd77eb45dbc30306adccd4435273de45f5c78b18fc9f8653f4167bfa

  • SHA512

    40f7753b552973ef6de7c3506407ce27547fe43ada791915830cd11568f7ac3638317c284fcd89f5887d648f1efe6da786e5f89639299463f1aaceccda88d7a4

  • SSDEEP

    384:61UbTY1XNQZEQVl74hVElSxLYj/J8SpGKYTTUyc5/7fL5clkWng9Lwe9wo:61UfUXNQZp74YlStYj/J8SoKYTTUyc5n

Malware Config

Targets

    • Target

      a5ed8f34dd77eb45dbc30306adccd4435273de45f5c78b18fc9f8653f4167bfa.unknown

    • Size

      18KB

    • MD5

      7b37c4579a80d362ce580687ed2aaf10

    • SHA1

      84a7c93a2b215172c9603f140ec1540b2d5a0edd

    • SHA256

      a5ed8f34dd77eb45dbc30306adccd4435273de45f5c78b18fc9f8653f4167bfa

    • SHA512

      40f7753b552973ef6de7c3506407ce27547fe43ada791915830cd11568f7ac3638317c284fcd89f5887d648f1efe6da786e5f89639299463f1aaceccda88d7a4

    • SSDEEP

      384:61UbTY1XNQZEQVl74hVElSxLYj/J8SpGKYTTUyc5/7fL5clkWng9Lwe9wo:61UfUXNQZp74YlStYj/J8SoKYTTUyc5n

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks