General
-
Target
92b8b8d35ba16bf772e1c3c55972ccda.bin
-
Size
389KB
-
Sample
230819-b7cbksff25
-
MD5
f95931bb368df5a08530b6c65e177076
-
SHA1
5dd74f8a20a8741cf3cdda30e6e2bc2b820faf5e
-
SHA256
84c2a497bbd52bd276480ff8aca4028bbabd0f6d3eb896453115afd49001b940
-
SHA512
5ec8bc9b20e69a8ce52601c5e70bbc1ebc1c0a809dfa8a469ac1697f7c78ef17042129845a130c6a5d81a9a93dcb6ffa85607dbab16af46f8402c064c3e5894c
-
SSDEEP
6144:G0IXPx40Tjgdgi9o3eoaDgJ+gaTE5i4/k7s7IA7wIXaQgq3qkNwoxumJhoKfug5x:+frgdgAoOoXwE5is7IqwkzlwoxugGM
Malware Config
Extracted
Protocol: smtp- Host:
mail.eprl.pt - Port:
587 - Username:
[email protected] - Password:
6EO##P9jkTTY
Targets
-
-
Target
82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe
-
Size
421KB
-
MD5
92b8b8d35ba16bf772e1c3c55972ccda
-
SHA1
4cb1fcef30fdcfe0f590ba1f223787939257ba36
-
SHA256
82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f
-
SHA512
fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6
-
SSDEEP
6144:vmOPuFNlaapl0zQwY0CyKlBGfpnAW4VKDkjdl8Jp42KcUMhmtL6Rt93WhX3A1maq:AlhpcCyKOf8l8D42XmxOt93OXQ1eoU
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-