7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd

Sharing

Copy URL

Twitter E-mail

General

Target

info.zip
Size

3.4MB
Sample

240916-lxph9s1fjp
MD5

cbcb58ffe45c202c11bcf2070496aed6
SHA1

b47d1618177b6bc219b8734cd02f9cf7be7aff43
SHA256

7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd
SHA512

97115e8faf2a0554d899f05931d29a99a500ff849d0f3fbf5ab5d36387b8938288e25804b8ef0b031a18ae04fd23e52959737f7b94a369e2fa55922861ef506d
SSDEEP

98304:SyrPvG3UNpYqQLpXhHHeanDebmPL+okjWa1lu/:SyrPO3UDsdXp+z8+FWyE

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
154.7.120.7
Port:
21
Username:
admin
Password:
lol123

Extracted

Credentials

Protocol: ftp
Host:
5.56.60.2
Port:
21
Username:
user
Password:
chocolat

Extracted

Credentials

Protocol: ftp
Host:
68.233.246.4
Port:
21
Username:
root
Password:
asdf

Extracted

Credentials

Protocol: ftp
Host:
185.146.22.4
Port:
21
Username:
root
Password:
tudelft

Extracted

Credentials

Protocol: ftp
Host:
77.72.82.8
Port:
21
Username:
ftp

Extracted

Credentials

Protocol: ftp
Host:
212.96.133.11
Port:
21
Username:
user
Password:
11111111

Targets

- Target
  
  IMG001.scr
- Size
  
  3.4MB
- MD5
  
  fbbcf1e9501234d6661a0c9ae6dc01c9
- SHA1
  
  1ca9759a324159f331e79ea6871ad62040521b41
- SHA256
  
  d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
- SHA512
  
  027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
- SSDEEP
  
  98304:M5VPnq1y5tQOM33ZNqCtBixHl54Oyjes1Ro6:2VPq1yLanrqTr43eON
Score

8^/10

defense_evasion discovery persistence
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $R9/NsCpuCNMiner32.exe
- Size
  
  1.4MB
- MD5
  
  3afeb8e9af02a33ff71bf2f6751cae3a
- SHA1
  
  fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
- SHA256
  
  a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
- SHA512
  
  11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
- SSDEEP
  
  24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
Score

7^/10

discovery vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  $R9/NsCpuCNMiner64.exe
- Size
  
  1.5MB
- MD5
  
  eedb9d86ae8abc65fa7ac7c6323d4e8f
- SHA1
  
  ce1fbf382e89146ea5a22ae551b68198c45f40e4
- SHA256
  
  d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
- SHA512
  
  9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
- SSDEEP
  
  24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  $R9/Plugins/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $R9/Plugins/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $R9/Plugins/tftp.exe
- Size
  
  95KB
- MD5
  
  21e42b4fdb800644335dd8cc95826c7b
- SHA1
  
  23ec304fab33af1cacf0a167aeb7465631286128
- SHA256
  
  73ddf0df4e9e3866511ef9eae421b11615b81491d0db1d4a7ed19441e368ecef
- SHA512
  
  7fe97cc38afea51b8b8776c860d49d3cac92df63f6acd4f647056a6210288ac387d499e8f6f281cdd31d73e6f1218bc08baa696b0c7c8d33d55543875c1be7b6
- SSDEEP
  
  1536:NW7lchydMBUxt/lP8KB1R88EKaoLQWAmcTGI7Unt:MChye+x38KrRLMUnt
Score

10^/10

discovery
- Contacts a large (1051) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral15 behavioral16
- Target
  
  $R9/Stubs/bzip2
- Size
  
  34KB
- MD5
  
  7ac2315d458a6c78f81f7167b164ef37
- SHA1
  
  f501956f346fe7ac49454f5eae54907eeb247f1d
- SHA256
  
  a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d
- SHA512
  
  00802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b
- SSDEEP
  
  768:FqVnDX38+t1ehxQ7unyskUplx3tUeLTjWfgeOVGM4jjfS3XJvai:kjs+t1ehxQuntkULceeM4sXJz
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  $R9/Stubs/bzip2_solid
- Size
  
  34KB
- MD5
  
  0a108faf2f740e2b1a97d64985fdd1b4
- SHA1
  
  e349e668f756ea4b9460bcb2be54504dc357d3d1
- SHA256
  
  5a9ecc6d9dbd32c54507496f022ecca949e18235bb0865e1aa345eb84e6af0cf
- SHA512
  
  3f27d919d40dfbd431c1516a8803178d5e699f91856e8f9616b7f3fdc755af863f25c29cf08191775ab04d1457a0db8741e1697a66bd2c84252de58942c16faf
- SSDEEP
  
  768:/Jyky/Nki4Q/JRQ/RZ49ylKR2e7jbEcIKFvGmjXO3XJOai:hiki4Q/JR2RZ49A1ecjXJ+
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $R9/Stubs/lzma
- Size
  
  33KB
- MD5
  
  9557ea4608e64b857c1125eb41ba7429
- SHA1
  
  d7276eccc032919c84fc05f206d3cdd0b40fe1fb
- SHA256
  
  b72d402fce699b21bbf0a4a86ab9fb7f8a083aeacd4f797be7a7f6f91ef93d62
- SHA512
  
  8eb238cd34668c12779553b7ef15cbeb4d8dd7aac36b5f044c680b83b04f7e2564905625e14ae5c5e06e4e9b5ccdb1663a08aa63a95e176266d59924061a6ce8
- SSDEEP
  
  768:/ip/4K0wirQK33PaH81Fej4w0kGvFONg4jjfS3XJWai:6Zr0wirt3/aEecbsg4sXJW
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $R9/Stubs/zlib
- Size
  
  35KB
- MD5
  
  346d3c8665f307a06aba85f8745360e8
- SHA1
  
  de87ba7e2553f0efd531d30d6a5997dab9a6bc2f
- SHA256
  
  c96383fe97a213140741bf5df71f322753200c094cb22db634e050d2be744a4f
- SHA512
  
  6d9910251618226bfd94c94661b86db0b6c07d5dbc5445cbd0ae7bd34fc42e0b2af53fbd14b57969cda9deb747dae7837209eb4c61b4b130b0170f584b839aa2
- SSDEEP
  
  768:x0gFJMBrbxJQJFiXDYwQ5NTdKqP5sCOfZ7jrG0D3cjfS3XJQai:xfYBrbzmFizYwUK1G0DRXJQ
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  $R9/makensis.exe
- Size
  
  484KB
- MD5
  
  e79833cb0d7b2573819ded2122b57bdd
- SHA1
  
  71ead8cd4a95704a0cade630bb3ce280af7e028e
- SHA256
  
  572a6f9cb5b37b6eec13b578d346c2568ce3ec88bb711d75dac9e82fc01c8860
- SHA512
  
  4b023e60392ead0691621a1306286fda6cdc4c447f164c8f249c59db2500d8b98514d93c7a7e8d3cfd60818d2ca74e84ec24163492765b6c17fe94ea0385bd69
- SSDEEP
  
  12288:LhHlj+wtKJVIo9ZoACV6sil8+eSycI+Tt0XCyzLHWj:Lxl+0KJVpneV6siy+I+TtcCyzLHW
Score

3^/10

discovery
behavioral25 behavioral26
- Target
  
  information.vbe
- Size
  
  1KB
- MD5
  
  e9ffdb716af3d355b25096a8ed4de8ef
- SHA1
  
  66e2b15ba4dbfa127c3ec86abce666870a4a168a
- SHA256
  
  30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
- SHA512
  
  f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3
Score

8^/10

defense_evasion
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral27 behavioral28