General
-
Target
ZoomInstallerFull.exe
-
Size
47.1MB
-
Sample
240716-wfktvstdlk
-
MD5
ba6a3615a1780e5c1bc05c02a505e40b
-
SHA1
ce0ca3608dbc6730750a443c138870a7882c1859
-
SHA256
ab8e39e178ce83b48ee9863cc2dc58bba5b45ed5d54431efb878221904e9a796
-
SHA512
7ad2f9d9d5eb7ead5bf8e2e52b348b756caf1a1754e2bb9cf2f49a30093f6280767055a7906e996b4ee92a7c034769686eb062037deceb616789fa524b96ff3a
-
SSDEEP
786432:sndETNQLqskf7BmvVgMopLl4UMzI2IIj2dQYgs7EOaZYn7sUmPkX85NPYI7qTCzH:sdEpQLqsQB0o1OU+ucSPgyaYn7sUmPI0
Static task
static1
Behavioral task
behavioral1
Sample
ZoomInstallerFull.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ZoomInstallerFull.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
ZoomInstallerFull.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
ZoomInstallerFull.exe
Resource
win11-20240709-en
Malware Config
Extracted
stealc
doralands15
http://194.116.214.213
-
url_path
/5b0beefd0d5da45a.php
Targets
-
-
Target
ZoomInstallerFull.exe
-
Size
47.1MB
-
MD5
ba6a3615a1780e5c1bc05c02a505e40b
-
SHA1
ce0ca3608dbc6730750a443c138870a7882c1859
-
SHA256
ab8e39e178ce83b48ee9863cc2dc58bba5b45ed5d54431efb878221904e9a796
-
SHA512
7ad2f9d9d5eb7ead5bf8e2e52b348b756caf1a1754e2bb9cf2f49a30093f6280767055a7906e996b4ee92a7c034769686eb062037deceb616789fa524b96ff3a
-
SSDEEP
786432:sndETNQLqskf7BmvVgMopLl4UMzI2IIj2dQYgs7EOaZYn7sUmPkX85NPYI7qTCzH:sdEpQLqsQB0o1OU+ucSPgyaYn7sUmPI0
-
Detects HijackLoader (aka IDAT Loader)
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-