General
-
Target
RzDiagnostic.exe
-
Size
4.8MB
-
Sample
240523-fyjfraeh99
-
MD5
13d321bfdd9e68a0d4a6e35fa47e3b4c
-
SHA1
f3ec7a184eb72eb5254f37108d0c80223664d370
-
SHA256
03c61ca4139ba86cf4375aaf3e91118025ffc60499e44f7738c240c0f24a92d7
-
SHA512
9aefd7ccb13a2b33f1fb7c98e6fa3bbc7feec2f1676620c374eb75f9c6ac9df3674f4b2ef1d7d853f8d6640439c37ae2660e3f7a306cda1a83a8969fc8e804a4
-
SSDEEP
98304:m7/ys8c+rPIfOwDxFoLMr9W8WATWbAOsEdOtPVPSXrMiW/eyTFih0nXZRaD1R8Xi:m7/WrgUF8cvdORVTbWyTFihaqDsX+XsG
Malware Config
Targets
-
-
Target
RzDiagnostic.exe
-
Size
4.8MB
-
MD5
13d321bfdd9e68a0d4a6e35fa47e3b4c
-
SHA1
f3ec7a184eb72eb5254f37108d0c80223664d370
-
SHA256
03c61ca4139ba86cf4375aaf3e91118025ffc60499e44f7738c240c0f24a92d7
-
SHA512
9aefd7ccb13a2b33f1fb7c98e6fa3bbc7feec2f1676620c374eb75f9c6ac9df3674f4b2ef1d7d853f8d6640439c37ae2660e3f7a306cda1a83a8969fc8e804a4
-
SSDEEP
98304:m7/ys8c+rPIfOwDxFoLMr9W8WATWbAOsEdOtPVPSXrMiW/eyTFih0nXZRaD1R8Xi:m7/WrgUF8cvdORVTbWyTFihaqDsX+XsG
Score8/10-
Downloads MZ/PE file
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
Suspicious use of SetThreadContext
-