7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd

Sharing

Copy URL

Twitter E-mail

General

Target

info.zip
Size

3.4MB
Sample

240916-fqz4jazfqr
MD5

cbcb58ffe45c202c11bcf2070496aed6
SHA1

b47d1618177b6bc219b8734cd02f9cf7be7aff43
SHA256

7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd
SHA512

97115e8faf2a0554d899f05931d29a99a500ff849d0f3fbf5ab5d36387b8938288e25804b8ef0b031a18ae04fd23e52959737f7b94a369e2fa55922861ef506d
SSDEEP

98304:SyrPvG3UNpYqQLpXhHHeanDebmPL+okjWa1lu/:SyrPO3UDsdXp+z8+FWyE

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
69.163.177.2
Port:
21
Username:
ftp
Password:
123

Extracted

Credentials

Protocol: ftp
Host:
161.246.37.8
Port:
21
Username:
admin
Password:
gino

Targets

- Target
  
  info.zip
- Size
  
  3.4MB
- MD5
  
  cbcb58ffe45c202c11bcf2070496aed6
- SHA1
  
  b47d1618177b6bc219b8734cd02f9cf7be7aff43
- SHA256
  
  7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd
- SHA512
  
  97115e8faf2a0554d899f05931d29a99a500ff849d0f3fbf5ab5d36387b8938288e25804b8ef0b031a18ae04fd23e52959737f7b94a369e2fa55922861ef506d
- SSDEEP
  
  98304:SyrPvG3UNpYqQLpXhHHeanDebmPL+okjWa1lu/:SyrPO3UDsdXp+z8+FWyE
Score

1^/10
behavioral1 behavioral2
- Target
  
  IMG001.scr
- Size
  
  3.4MB
- MD5
  
  fbbcf1e9501234d6661a0c9ae6dc01c9
- SHA1
  
  1ca9759a324159f331e79ea6871ad62040521b41
- SHA256
  
  d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
- SHA512
  
  027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
- SSDEEP
  
  98304:M5VPnq1y5tQOM33ZNqCtBixHl54Oyjes1Ro6:2VPq1yLanrqTr43eON
Score

8^/10

defense_evasion discovery persistence
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $R9/NsCpuCNMiner32.exe
- Size
  
  1.4MB
- MD5
  
  3afeb8e9af02a33ff71bf2f6751cae3a
- SHA1
  
  fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
- SHA256
  
  a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
- SHA512
  
  11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
- SSDEEP
  
  24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
Score

7^/10

discovery vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  $R9/NsCpuCNMiner64.exe
- Size
  
  1.5MB
- MD5
  
  eedb9d86ae8abc65fa7ac7c6323d4e8f
- SHA1
  
  ce1fbf382e89146ea5a22ae551b68198c45f40e4
- SHA256
  
  d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
- SHA512
  
  9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
- SSDEEP
  
  24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  $R9/Plugins/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $R9/Plugins/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $R9/Plugins/tftp.exe
- Size
  
  95KB
- MD5
  
  21e42b4fdb800644335dd8cc95826c7b
- SHA1
  
  23ec304fab33af1cacf0a167aeb7465631286128
- SHA256
  
  73ddf0df4e9e3866511ef9eae421b11615b81491d0db1d4a7ed19441e368ecef
- SHA512
  
  7fe97cc38afea51b8b8776c860d49d3cac92df63f6acd4f647056a6210288ac387d499e8f6f281cdd31d73e6f1218bc08baa696b0c7c8d33d55543875c1be7b6
- SSDEEP
  
  1536:NW7lchydMBUxt/lP8KB1R88EKaoLQWAmcTGI7Unt:MChye+x38KrRLMUnt
Score

10^/10

discovery
- Contacts a large (1085) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral17 behavioral18
- Target
  
  $R9/Stubs/bzip2
- Size
  
  34KB
- MD5
  
  7ac2315d458a6c78f81f7167b164ef37
- SHA1
  
  f501956f346fe7ac49454f5eae54907eeb247f1d
- SHA256
  
  a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d
- SHA512
  
  00802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b
- SSDEEP
  
  768:FqVnDX38+t1ehxQ7unyskUplx3tUeLTjWfgeOVGM4jjfS3XJvai:kjs+t1ehxQuntkULceeM4sXJz
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $R9/Stubs/bzip2_solid
- Size
  
  34KB
- MD5
  
  0a108faf2f740e2b1a97d64985fdd1b4
- SHA1
  
  e349e668f756ea4b9460bcb2be54504dc357d3d1
- SHA256
  
  5a9ecc6d9dbd32c54507496f022ecca949e18235bb0865e1aa345eb84e6af0cf
- SHA512
  
  3f27d919d40dfbd431c1516a8803178d5e699f91856e8f9616b7f3fdc755af863f25c29cf08191775ab04d1457a0db8741e1697a66bd2c84252de58942c16faf
- SSDEEP
  
  768:/Jyky/Nki4Q/JRQ/RZ49ylKR2e7jbEcIKFvGmjXO3XJOai:hiki4Q/JR2RZ49A1ecjXJ+
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $R9/Stubs/folder.ico
- Size
  
  52KB
- MD5
  
  bbf9dbdc079c0cd95f78d728aa3912d4
- SHA1
  
  051f76cc8c6520768bac9559bb329abeebd70d7c
- SHA256
  
  bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
- SHA512
  
  af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d
- SSDEEP
  
  1536:y3i6EBXR2n7dqnfiVDIHMPV0+l/SLOUp4:8eiVD+EmUSLOUp4
Score

3^/10
behavioral23 behavioral24
- Target
  
  $R9/Stubs/icon.ico
- Size
  
  60KB
- MD5
  
  7d0235756df111aeae2600d12bc6fa6b
- SHA1
  
  82d44ef66c49adcc08b0856de9c37fd95bd12ed2
- SHA256
  
  9658fe1598581f8b9410f74f2ec6dc861a6827d4adf41f8494d8629ab9818367
- SHA512
  
  18664048c787dc30461698c36a567c723a5a5efa203e09ae743e456096b8c24f8d4244bbeb777ff438c4f97c589146f8c014e24d821134cb9bd62dd83416cacd
- SSDEEP
  
  768:5JIpxPXbplHfPtUwJowhs1LBEyKTsSIu1n+sHs1eNjcfgJdmepWndoDSJTze2zu7:5Gpx/9l/7RyVcTIuGeNjcfgfu6Ds5hfM
Score

3^/10
behavioral25 behavioral26
- Target
  
  $R9/Stubs/lzma
- Size
  
  33KB
- MD5
  
  9557ea4608e64b857c1125eb41ba7429
- SHA1
  
  d7276eccc032919c84fc05f206d3cdd0b40fe1fb
- SHA256
  
  b72d402fce699b21bbf0a4a86ab9fb7f8a083aeacd4f797be7a7f6f91ef93d62
- SHA512
  
  8eb238cd34668c12779553b7ef15cbeb4d8dd7aac36b5f044c680b83b04f7e2564905625e14ae5c5e06e4e9b5ccdb1663a08aa63a95e176266d59924061a6ce8
- SSDEEP
  
  768:/ip/4K0wirQK33PaH81Fej4w0kGvFONg4jjfS3XJWai:6Zr0wirt3/aEecbsg4sXJW
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  $R9/Stubs/rar.ico
- Size
  
  9KB
- MD5
  
  026f40c3ab0068845b6198600bb4a0a8
- SHA1
  
  2dc1e159d9a40274b807e12fe9ff7ea61674ec4f
- SHA256
  
  a7ef8781a56f07a7d8dcceb21eec53ba8a2b7aa4e0e0189edc7c4f4726a5ab05
- SHA512
  
  54cc2cdda37fc1bb9684c38e69dbb13cdfa6c06d5c6982fa8febdb29c33ff4fa7c39f649ca7b2e6ab452ed34aa2389aaabe242e2ccf3f431e428c61ae657b6ad
- SSDEEP
  
  96:LOuLCJei0gKCmTIXf5EbJqrHTHnC47EvqbV9u8iVXpPbmyP+qM4c:L7KeXgzmoBE4rzHVIybVUzTNPLM4c
Score

3^/10
behavioral29 behavioral30
- Target
  
  $R9/Stubs/uninst
- Size
  
  766B
- MD5
  
  4023b710d3b47d9101c27f5da22aa5ef
- SHA1
  
  305c101062c424e728b393409ccf43d5295634a7
- SHA256
  
  ba82bb5d90262417a18cec6631bbd8b880020eb159b45f264a9145196dfb8f3a
- SHA512
  
  03ecea5fd46d4e9f79440a4ec5af3d27f1a60716e5579a1d38d684a1e42d1604fa6bed146eabf2fc2398d5898e67575cfde1ae0cbcd9c9a78c743f95eb366acc
Score

1^/10
behavioral31 behavioral32