General
-
Target
RFQ-M310.gz
-
Size
444KB
-
Sample
240503-p8pj7aba49
-
MD5
455e56362a0b6f05e32f22be03163213
-
SHA1
451a3670f0a5de278102cc4ef85cd7e10f8e223b
-
SHA256
3899cf4d89c69149510b5e0ea51630c44ac88012d77ef402f2e60baf7752abde
-
SHA512
04daaf3fe4cfcd0b02dcbc71e084d1604ee862ca4c13ae3b54752b9b398f03f62596491494465b60e5fe4751b3f1c417eb67fce3b27e526c16c1c86c87a90cdc
-
SSDEEP
12288:nGPq4ALF2uQIIEtVL2fnAJ7D6S3dCQv5I7nb+2Zu:NtZtsnAJXJRa/+2Zu
Malware Config
Targets
-
-
Target
RFQ-M310 .exe
-
Size
570KB
-
MD5
6ea6f23008cb3be4fec61af89c38a21c
-
SHA1
0b5bfd81d467d52232791c10799738565b5dbd15
-
SHA256
fb6ba86c5bf77ed1992e3568ffa2eecd305b5dad7000726e0fd4e53d87694308
-
SHA512
747b26968c1e953469dfb0d857e3f1c3508d4af5e015c8848111a96be073cce14e3c9dda113bfa37cd36c0802fdd5ad461ef7b28044bb13de3793e374768ecda
-
SSDEEP
12288:HTqa+eIUDOeIMtvLG9nAJ7DySPdCQvJI71h2M:KLMLtmnAJXBJ6b2M
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Gradsforskellenes.Zlo
-
Size
59KB
-
MD5
782b400cdee34a41e22aa61388c2bafd
-
SHA1
62a6098b74bc584442c842cb09eb5c8eda3560a2
-
SHA256
f4063d08de6e6baaabdfe48264f47de4ecec7922bb843ba088c8a6bab22c5538
-
SHA512
de1a6c0eeca32aba17c5c90f1ace7ba191be5095c9ae242ac18951cef674f2cd64562a10238a242bd0f6d112c078608d64cef08eec9f652759fc15a2ad684455
-
SSDEEP
1536:SqW1Zqg0oIIt1gqyByZNeq2hwOcmrt/381alr1:T+EgV3fgNINUhvco8w1
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-