General
-
Target
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.doc
-
Size
109KB
-
Sample
240802-cg2zzstgmb
-
MD5
639df28efc7717655b1d8cc618a76b1c
-
SHA1
9e79c9d82ad07f95b09e73bbba792a889911f51e
-
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
-
SHA512
62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
-
SSDEEP
1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC
Behavioral task
behavioral1
Sample
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.docm
Resource
win10v2004-20240730-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
revengerat
NyanCatRevenge
marcelotatuape.ddns.net:333
3e042ee793c84
Targets
-
-
Target
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc.doc
-
Size
109KB
-
MD5
639df28efc7717655b1d8cc618a76b1c
-
SHA1
9e79c9d82ad07f95b09e73bbba792a889911f51e
-
SHA256
861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
-
SHA512
62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
-
SSDEEP
1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-