General

  • Target

    6b47f733706f1e1e230d6f784cf28d61

  • Size

    138KB

  • Sample

    240120-ybmtrsfha4

  • MD5

    6b47f733706f1e1e230d6f784cf28d61

  • SHA1

    d3359577d8ebc64aa4d8a66dd7df5916b8d15df2

  • SHA256

    334fbb807f181d5737bd6672fc14db7c14c7363ca72745642ee1b553e7f4575e

  • SHA512

    9939f584bf2f2f0fe4924940d7d6b9d47782a91a5dc321c6bf7d3df41e2e2468ce10e5508718a7e96280839bb6dc0a27e214a6d64e963818dbed5d4cfc9bb3bf

  • SSDEEP

    3072:rE6zOJyfKdH/14jZHF8ZFZZv2/SS5ktp07lK3qUvdGzTR3wsjrW6:rE66JyydH/SjZHF8ZF72/SS4p277D

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Targets

    • Target

      Picture26.JPG.scr

    • Size

      176KB

    • MD5

      8ba528bbbe2f4e7630ae48d7ad079614

    • SHA1

      c338d7b7e3e6213802a2999140972918b9b6b2c9

    • SHA256

      51ff2b5eb750064f77cc881cfc7d7d2b3c1e0c9bcbab879b03fee55c4008669a

    • SHA512

      359699f4ea308fde0217c9fed0038a9e1d770b218caa14c21fc3b97ebc7b566aa533475190d060be8f9aa1b5c706ce6a71a1c23f3bf6264e8c68fb6294bfeb78

    • SSDEEP

      3072:xGOKaBE5/BKrNu5XAMSS5ktp07lK3qU1dGzTR3wsn:AapRyNSS4p27v

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks