General
-
Target
fdrsetrgh.exe
-
Size
1.5MB
-
Sample
240310-vgmt6sgf42
-
MD5
fe5101b50e92a923d74cc6f0f4225539
-
SHA1
f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec
-
SHA256
411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10
-
SHA512
bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee
-
SSDEEP
24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU
Static task
static1
Behavioral task
behavioral1
Sample
fdrsetrgh.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fdrsetrgh.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Extracted
C:\Program Files\dotnet\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Targets
-
-
Target
fdrsetrgh.exe
-
Size
1.5MB
-
MD5
fe5101b50e92a923d74cc6f0f4225539
-
SHA1
f7a2fc4e471a203c8a5683c02ada2c3931c8f0ec
-
SHA256
411b8cd39606bbe551627f1868bb4ace1f9fcb5387b6a58b9bb7f31c50109e10
-
SHA512
bd1fa89a7a1f7b9f1bcb6ac574b9ad09d8cd053723b24f8d5fbe4a5946e6fce4325040364d1e9e79f98421bc8c656e4601ba4c96ff63b1472bbb01b59e0414ee
-
SSDEEP
24576:EbRKGN66DdkfD2mtArFoZpAQbuSy6Pj44aOLu5S3+RIYMpS:+RK4ZWDVt4G2r67458tYMU
Score10/10-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Modifies boot configuration data using bcdedit
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
cff85c549d536f651d4fb8387f1976f2
-
SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
-
SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
-
SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
SSDEEP
192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score3/10 -