General
-
Target
bebulnhx.zip
-
Size
5.4MB
-
Sample
240620-pzptlaxhlf
-
MD5
ed3a7489fdccb6cdd0c1da4c22e14081
-
SHA1
5220284f1810f2dd38bc9aa5c774970f6244d040
-
SHA256
5cad0db91b2eb2dadd485eeb4080daba5736e7bc80d953a190ab7df3c4ca1aca
-
SHA512
a7e063e2dd802712d51e7ff3a5605150f27ac023e80c9d86e9d51c644040a306b371091e2454c14849379fcc28f7e1b0b4dbfb4b86431e6a418ffc1b7879ef15
-
SSDEEP
98304:9e5tMH9DJKsXVoY7ejBJ2kIsOCpPCq2T+LSsn7Cz2I+GiNpt6r9bwgb4WJwTVcLi:9ej8KsxU/7INy6qtHsJ+1561SWJ1i
Static task
static1
Behavioral task
behavioral1
Sample
INFECTED/bebulnhx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
INFECTED/bebulnhx.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
INFECTED/bebulnhx.exe
-
Size
14.0MB
-
MD5
693447e1396a1a501245dbd1d5a3b917
-
SHA1
0b09a067c4954fcb628aee2fadaef3cebee8fcac
-
SHA256
4e25675e277bb0214d438805c9c4656b6cbb6ceb0023d6f1d0221a8305e3796b
-
SHA512
55e83f176c7b3b331d526124710f54b3423ac5b6ad3757eaa1ff33ccaec5d62db14d5af214df60f0529560deb3ba995866f89773f9c295b348d2ca1106ab370f
-
SSDEEP
98304:f555555555555555555555555555555555555555555555555555555555555553:
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1