General
-
Target
702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a
-
Size
172KB
-
Sample
240420-28m3ksce37
-
MD5
022735f30eca92db0eb6af97093a148b
-
SHA1
3708b43536fc0cfaa5e9970909fa2b9d2367beb5
-
SHA256
702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a
-
SHA512
841192dde7a9dd9898d2b983d39a0248a2e504a5a89ef9a0493f69d8abd94daaae6ce25a837ad60f9f7536788c234cba626f0cded78aa763eb61810d211fbacb
-
SSDEEP
3072:ylRWMa328PS8P7zi+I0dtpFBFa6pB0Kca00CKBPlYmja:ylRWMaVPhP7O+ZDpFq6pB0Kcl
Static task
static1
Behavioral task
behavioral1
Sample
702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a.exe
Resource
win7-20240220-en
Malware Config
Extracted
pony
http://45.58.116.102/~admin/maindomainkid009_net/ajuk/fire/gate.php
-
payload_url
http://45.58.116.102/~admin/maindomainkid009_net/ajuk/fire/micro.exe
Targets
-
-
Target
702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a
-
Size
172KB
-
MD5
022735f30eca92db0eb6af97093a148b
-
SHA1
3708b43536fc0cfaa5e9970909fa2b9d2367beb5
-
SHA256
702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a
-
SHA512
841192dde7a9dd9898d2b983d39a0248a2e504a5a89ef9a0493f69d8abd94daaae6ce25a837ad60f9f7536788c234cba626f0cded78aa763eb61810d211fbacb
-
SSDEEP
3072:ylRWMa328PS8P7zi+I0dtpFBFa6pB0Kca00CKBPlYmja:ylRWMaVPhP7O+ZDpFq6pB0Kcl
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-