General
-
Target
TaxForm.lnk
-
Size
1KB
-
Sample
240202-ybyahadhb8
-
MD5
6286895f855df2e0577a8de4c7d083bd
-
SHA1
b963d63927e491e9297ca56d737dda5b24aeb929
-
SHA256
dd02646e2bfae250696acb1f911f8feac56e3223c11aa26ebf2e77700c0477f4
-
SHA512
4648ffca2f148611d50e23bfde904f330a9aa966350c8a9f4648b419444edcb4d459abf9306410491766f2ba21d334afe2446ee5e6402a5ddf71d3b04f543955
Static task
static1
Behavioral task
behavioral1
Sample
TaxForm.lnk
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://45.153.243.208/a58
Targets
-
-
Target
TaxForm.lnk
-
Size
1KB
-
MD5
6286895f855df2e0577a8de4c7d083bd
-
SHA1
b963d63927e491e9297ca56d737dda5b24aeb929
-
SHA256
dd02646e2bfae250696acb1f911f8feac56e3223c11aa26ebf2e77700c0477f4
-
SHA512
4648ffca2f148611d50e23bfde904f330a9aa966350c8a9f4648b419444edcb4d459abf9306410491766f2ba21d334afe2446ee5e6402a5ddf71d3b04f543955
Score10/10-
Detect DarkGate stealer
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-