General
-
Target
AutoBuy.exe
-
Size
2.8MB
-
Sample
240331-nv79psag6v
-
MD5
ec3328cb44fb4e760b5cdef7bbbcd6f6
-
SHA1
d93d74a1200418ec041d4206513d511da870eaec
-
SHA256
ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907
-
SHA512
e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01
-
SSDEEP
49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI
Static task
static1
Behavioral task
behavioral1
Sample
AutoBuy.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
AutoBuy.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot6719312271:AAE1QFaFTcG0HSHiQXVv7gdDUMwSNOPMadg/sendMessage?chat_id=-4194654645
Targets
-
-
Target
AutoBuy.exe
-
Size
2.8MB
-
MD5
ec3328cb44fb4e760b5cdef7bbbcd6f6
-
SHA1
d93d74a1200418ec041d4206513d511da870eaec
-
SHA256
ceb1bbd8e4e6d29926c8011524897693a3240a4bda727d309987a6541cd98907
-
SHA512
e33563185221acfaf7352a37555f8b1c4f73a962f4ae96e1dee52e8f034bc416fee22dff8bba698b596576470c0572abcf5e2dea1929f6151aac05678e78ca01
-
SSDEEP
49152:JxppTslWVwj1GowiT4QRW5CX42rZSkvFksV4qBNmP+X:JxpHVwIozyg3jvbVHBNI
-
XMRig Miner payload
-
Creates new service(s)
-
Drops file in Drivers directory
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-