General
-
Target
ZenSoft.rar
-
Size
54.2MB
-
Sample
230729-t8as9afa5z
-
MD5
f7bdc29a955a12a8975bac449271dfd8
-
SHA1
c738f0e008f1e905f044eab5b669536351dafa42
-
SHA256
9f706ef0f596b25a281b45ce2e0ebb4fa0fb32b53d3e6e386fc5bdda68f46930
-
SHA512
8e64503b4e589351fb69087fb905d65abb801c29f7dc2d53c8adc4d1ad2b6fa302a4a998056b543a9296196debc67efe199c49ad8ee6a93e6688b3962bc10af9
-
SSDEEP
1572864:SqHWHOX360DCRDHzD6i4k6i7g1sv3yC4aivYQEDJkg+i:IuH60DI76jk97CO3y2ivsDyu
Static task
static1
Malware Config
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Targets
-
-
Target
-
Size
31.4MB
-
MD5
693ce587757ecfb4a2ad9a0b7ed69c46
-
SHA1
f26ff05fd9e51040227f3c17c9a1859f184b3ffb
-
SHA256
c67d53bf5609737cb35b19b696f229f0fbd513fbabfad33a3c93850a23ab1ea5
-
SHA512
e1df3e3d96008ae38daf6f57cafdb41f1d53915d716e0c93e727f149254e56cfca4efb437be5819b6ce69956e8e36b50a69a2e769a36262e924da4e085a2ee8f
-
SSDEEP
786432:fxJxyhzJySNqxsDM09U3lHyetJ60ak9Xw1v:1ytJPNq2DMzzO0ak9Xev
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1