General
-
Target
Dekontu.rar
-
Size
907B
-
Sample
240503-p8pvysfh9y
-
MD5
39bf85a0d2fb776ed4ff33f64fe9073c
-
SHA1
143c14d63d254437a01e76bb82ebefebc5b6f097
-
SHA256
881ce6908e060231a797a1db1700ac66a2a58822cfcf8b932ff83a96833a8ceb
-
SHA512
772441f74cda6b6e46ca9aa32b7a568bf4d63df49c62cf08cae9513a3e95b82236a06ba6422d70f53716af0bc01e09c6fa3dd71fe3e0b17bcde76a0a69264707
Static task
static1
Behavioral task
behavioral1
Sample
Dekontu/Odeme -(Mayis).lnk
Resource
win7-20240221-en
Malware Config
Extracted
https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif
Extracted
xenorat
dns.requimacofradian.site
Xeno_rat_nd8818g
-
delay
60000
-
install_path
appdata
-
port
1243
-
startup_name
uic
Targets
-
-
Target
Dekontu/Odeme -(Mayis).lnk.lnk
-
Size
2KB
-
MD5
2ad899ef7b0d361186d8487950b7e167
-
SHA1
151d04d656e68152cc2116b0837331a7df30eb27
-
SHA256
2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618
-
SHA512
2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-