Overview

overview

8

Static

static

1

Casanovaen.exe

windows7-x64

8

Casanovaen.exe

windows10-2004-x64

7

Sharing

Copy URL Twitter E-mail

General

  • Target

    Factura.rar

  • Size

    406KB

  • Sample

    231120-sv4czagh32

  • MD5

    0369545c7dcf1b7c05447c3da44e53dc

  • SHA1

    bc792f514ffee1e47fa7cd94790c52ca9f6b4994

  • SHA256

    30b929983761e36dd1878c571715bc56f453346b2525ca5804faf119f51348e3

  • SHA512

    41ecf5859126490e63a8360235be6227404b2044777fcfbe677a55ee5ca54d0ea9b3716b549f5111ee9ddc578092179b8eec2cf80cd481287f614865770d8610

  • SSDEEP

    12288:k2yXEEklreHgFONw4cBo2MdirwWuxIsS6e/1X:k2y1kxeHg+r9iUWSS5X

Score
8/10
persistence

Malware Config

Targets

    • Target

      Casanovaen.exe

    • Size

      474KB

    • MD5

      b2c8bb9682f118e40f4364676b18a06c

    • SHA1

      2cb7ff3c5c1e6f9019bf26c1f362f094f24d63e0

    • SHA256

      323c2461d75d856e287f65d145a1a5641dba1fa2131444c115f4af036d0f7de1

    • SHA512

      9a377e44826d76bb7ffd913c164e532724218143eddf1e5cb87e2fc09dd6bbbe3b8cf947990a0033be3c0c536cdbf218b083d393a5dbdeefef4e793c37e36737

    • SSDEEP

      12288:GqjLPd38RfvU9ETyVeWfDPghKFRSBIDV3x1n8S:G+SU9ETyVtshK73Xn8S

    Score
    8/10
    persistence

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks