e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

Sharing

Copy URL

Twitter E-mail

General

Target

IMG001.exe
Size

3.4MB
Sample

241007-msa1ra1cjm
MD5

d59e32eefe00e9bf9e0f5dafe68903fb
SHA1

99dc19e93978f7f2838c26f01bdb63ed2f16862b
SHA256

e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145
SHA512

56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587
SSDEEP

98304:MxtVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bo5:uVPq1yLanrqTr43eSG

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
176.124.138.1
Port:
21
Username:
ftp

Extracted

Credentials

Protocol: ftp
Host:
13.69.9.3
Port:
21
Username:
user
Password:
cisco

Extracted

Credentials

Protocol: ftp
Host:
173.198.242.9
Port:
21
Username:
ftp
Password:
admin123

Targets

- Target
  
  IMG001.exe
- Size
  
  3.4MB
- MD5
  
  d59e32eefe00e9bf9e0f5dafe68903fb
- SHA1
  
  99dc19e93978f7f2838c26f01bdb63ed2f16862b
- SHA256
  
  e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145
- SHA512
  
  56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587
- SSDEEP
  
  98304:MxtVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bo5:uVPq1yLanrqTr43eSG
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
behavioral1
- Target
  
  $PLUGINSDIR/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral2
- Target
  
  $PLUGINSDIR/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral3
- Target
  
  $R9/NsCpuCNMiner32.exe
- Size
  
  1.4MB
- MD5
  
  3afeb8e9af02a33ff71bf2f6751cae3a
- SHA1
  
  fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
- SHA256
  
  a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
- SHA512
  
  11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
- SSDEEP
  
  24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
Score

7^/10

discovery vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral4
- Target
  
  $R9/NsCpuCNMiner64.exe
- Size
  
  1.5MB
- MD5
  
  eedb9d86ae8abc65fa7ac7c6323d4e8f
- SHA1
  
  ce1fbf382e89146ea5a22ae551b68198c45f40e4
- SHA256
  
  d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
- SHA512
  
  9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
- SSDEEP
  
  24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5
- Target
  
  $R9/Plugins/ExecDos.dll
- Size
  
  6KB
- MD5
  
  d7b975049ec3aba50e4b7cc654a28214
- SHA1
  
  25f2578945ebc9ac037fef7b7f94c5d48e42388b
- SHA256
  
  42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
- SHA512
  
  f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
- SSDEEP
  
  96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score

3^/10

discovery
behavioral6
- Target
  
  $R9/Plugins/inetc.dll
- Size
  
  21KB
- MD5
  
  d7a3fa6a6c738b4a3c40d5602af20b08
- SHA1
  
  34fc75d97f640609cb6cadb001da2cb2c0b3538a
- SHA256
  
  67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
- SHA512
  
  75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
- SSDEEP
  
  384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score

3^/10

discovery
behavioral7
- Target
  
  $R9/Plugins/info.zip
- Size
  
  1KB
- MD5
  
  8604e0f263922501f749cfca447b041a
- SHA1
  
  85c712bdeaceb78e2785e1f63811b0c4a50f952d
- SHA256
  
  52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed
- SHA512
  
  496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2
Score

1^/10
behavioral8
- Target
  
  info.vbe
- Size
  
  1KB
- MD5
  
  e9ffdb716af3d355b25096a8ed4de8ef
- SHA1
  
  66e2b15ba4dbfa127c3ec86abce666870a4a168a
- SHA256
  
  30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
- SHA512
  
  f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3
Score

8^/10

defense_evasion
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral9
- Target
  
  $R9/Plugins/tftp.exe
- Size
  
  95KB
- MD5
  
  461ed9a62b59cf0436ab6cee3c60fe85
- SHA1
  
  3f41a2796cc993a1d2196d1973f2cd1990a8c505
- SHA256
  
  40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d
- SHA512
  
  5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef
- SSDEEP
  
  1536:TZUlmkDwItbItNwDXIGE5IzBDMDaoQBMJrGIZUn7:9ULDBBIoXvOqBBAUn7
Score

10^/10

discovery
- Contacts a large (538) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral10
- Target
  
  $R9/Stubs/bzip2
- Size
  
  34KB
- MD5
  
  7ac2315d458a6c78f81f7167b164ef37
- SHA1
  
  f501956f346fe7ac49454f5eae54907eeb247f1d
- SHA256
  
  a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d
- SHA512
  
  00802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b
- SSDEEP
  
  768:FqVnDX38+t1ehxQ7unyskUplx3tUeLTjWfgeOVGM4jjfS3XJvai:kjs+t1ehxQuntkULceeM4sXJz
Score

3^/10

discovery
behavioral11
- Target
  
  $R9/Stubs/bzip2_solid
- Size
  
  34KB
- MD5
  
  0a108faf2f740e2b1a97d64985fdd1b4
- SHA1
  
  e349e668f756ea4b9460bcb2be54504dc357d3d1
- SHA256
  
  5a9ecc6d9dbd32c54507496f022ecca949e18235bb0865e1aa345eb84e6af0cf
- SHA512
  
  3f27d919d40dfbd431c1516a8803178d5e699f91856e8f9616b7f3fdc755af863f25c29cf08191775ab04d1457a0db8741e1697a66bd2c84252de58942c16faf
- SSDEEP
  
  768:/Jyky/Nki4Q/JRQ/RZ49ylKR2e7jbEcIKFvGmjXO3XJOai:hiki4Q/JR2RZ49A1ecjXJ+
Score

3^/10

discovery
behavioral12
- Target
  
  $R9/Stubs/folder.ico
- Size
  
  52KB
- MD5
  
  bbf9dbdc079c0cd95f78d728aa3912d4
- SHA1
  
  051f76cc8c6520768bac9559bb329abeebd70d7c
- SHA256
  
  bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
- SHA512
  
  af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d
- SSDEEP
  
  1536:y3i6EBXR2n7dqnfiVDIHMPV0+l/SLOUp4:8eiVD+EmUSLOUp4
Score

3^/10
behavioral13
- Target
  
  $R9/Stubs/icon.ico
- Size
  
  60KB
- MD5
  
  7d0235756df111aeae2600d12bc6fa6b
- SHA1
  
  82d44ef66c49adcc08b0856de9c37fd95bd12ed2
- SHA256
  
  9658fe1598581f8b9410f74f2ec6dc861a6827d4adf41f8494d8629ab9818367
- SHA512
  
  18664048c787dc30461698c36a567c723a5a5efa203e09ae743e456096b8c24f8d4244bbeb777ff438c4f97c589146f8c014e24d821134cb9bd62dd83416cacd
- SSDEEP
  
  768:5JIpxPXbplHfPtUwJowhs1LBEyKTsSIu1n+sHs1eNjcfgJdmepWndoDSJTze2zu7:5Gpx/9l/7RyVcTIuGeNjcfgfu6Ds5hfM
Score

3^/10
behavioral14
- Target
  
  $R9/Stubs/lzma
- Size
  
  33KB
- MD5
  
  9557ea4608e64b857c1125eb41ba7429
- SHA1
  
  d7276eccc032919c84fc05f206d3cdd0b40fe1fb
- SHA256
  
  b72d402fce699b21bbf0a4a86ab9fb7f8a083aeacd4f797be7a7f6f91ef93d62
- SHA512
  
  8eb238cd34668c12779553b7ef15cbeb4d8dd7aac36b5f044c680b83b04f7e2564905625e14ae5c5e06e4e9b5ccdb1663a08aa63a95e176266d59924061a6ce8
- SSDEEP
  
  768:/ip/4K0wirQK33PaH81Fej4w0kGvFONg4jjfS3XJWai:6Zr0wirt3/aEecbsg4sXJW
Score

3^/10

discovery
behavioral15
- Target
  
  $R9/Stubs/rar.ico
- Size
  
  9KB
- MD5
  
  026f40c3ab0068845b6198600bb4a0a8
- SHA1
  
  2dc1e159d9a40274b807e12fe9ff7ea61674ec4f
- SHA256
  
  a7ef8781a56f07a7d8dcceb21eec53ba8a2b7aa4e0e0189edc7c4f4726a5ab05
- SHA512
  
  54cc2cdda37fc1bb9684c38e69dbb13cdfa6c06d5c6982fa8febdb29c33ff4fa7c39f649ca7b2e6ab452ed34aa2389aaabe242e2ccf3f431e428c61ae657b6ad
- SSDEEP
  
  96:LOuLCJei0gKCmTIXf5EbJqrHTHnC47EvqbV9u8iVXpPbmyP+qM4c:L7KeXgzmoBE4rzHVIybVUzTNPLM4c
Score

3^/10
behavioral16
- Target
  
  $R9/Stubs/uninst
- Size
  
  766B
- MD5
  
  4023b710d3b47d9101c27f5da22aa5ef
- SHA1
  
  305c101062c424e728b393409ccf43d5295634a7
- SHA256
  
  ba82bb5d90262417a18cec6631bbd8b880020eb159b45f264a9145196dfb8f3a
- SHA512
  
  03ecea5fd46d4e9f79440a4ec5af3d27f1a60716e5579a1d38d684a1e42d1604fa6bed146eabf2fc2398d5898e67575cfde1ae0cbcd9c9a78c743f95eb366acc
Score

1^/10
behavioral17
- Target
  
  $R9/Stubs/zlib
- Size
  
  35KB
- MD5
  
  346d3c8665f307a06aba85f8745360e8
- SHA1
  
  de87ba7e2553f0efd531d30d6a5997dab9a6bc2f
- SHA256
  
  c96383fe97a213140741bf5df71f322753200c094cb22db634e050d2be744a4f
- SHA512
  
  6d9910251618226bfd94c94661b86db0b6c07d5dbc5445cbd0ae7bd34fc42e0b2af53fbd14b57969cda9deb747dae7837209eb4c61b4b130b0170f584b839aa2
- SSDEEP
  
  768:x0gFJMBrbxJQJFiXDYwQ5NTdKqP5sCOfZ7jrG0D3cjfS3XJQai:xfYBrbzmFizYwUK1G0DRXJQ
Score

3^/10

discovery
behavioral18
- Target
  
  $R9/makensis.exe
- Size
  
  484KB
- MD5
  
  e79833cb0d7b2573819ded2122b57bdd
- SHA1
  
  71ead8cd4a95704a0cade630bb3ce280af7e028e
- SHA256
  
  572a6f9cb5b37b6eec13b578d346c2568ce3ec88bb711d75dac9e82fc01c8860
- SHA512
  
  4b023e60392ead0691621a1306286fda6cdc4c447f164c8f249c59db2500d8b98514d93c7a7e8d3cfd60818d2ca74e84ec24163492765b6c17fe94ea0385bd69
- SSDEEP
  
  12288:LhHlj+wtKJVIo9ZoACV6sil8+eSycI+Tt0XCyzLHWj:Lxl+0KJVpneV6siy+I+TtcCyzLHW
Score

3^/10

discovery
behavioral19
- Target
  
  $R9/pools.txt
- Size
  
  500B
- MD5
  
  5137876455f2fd0c032ceed6fdbe49cb
- SHA1
  
  a33210e43247b1f04f51a341e5be79f769acc941
- SHA256
  
  8689fd11c63754aeabb202d7e1db3e5fe896f4e4e3597d4bfed58950f3110bb9
- SHA512
  
  3deef3848e340a0a631a8969ebabfde22a9a5c69a0c2ec2ad7e2e745800a593591f173c5611b573be7ea87261459d97680e85b13da73e39a8aabdfbfc7609761
Score

1^/10
behavioral20
- Target
  
  $TEMP/info.zip
- Size
  
  1KB
- MD5
  
  8604e0f263922501f749cfca447b041a
- SHA1
  
  85c712bdeaceb78e2785e1f63811b0c4a50f952d
- SHA256
  
  52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed
- SHA512
  
  496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2
Score

1^/10
behavioral21
- Target
  
  info.vbe
- Size
  
  1KB
- MD5
  
  e9ffdb716af3d355b25096a8ed4de8ef
- SHA1
  
  66e2b15ba4dbfa127c3ec86abce666870a4a168a
- SHA256
  
  30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
- SHA512
  
  f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3
Score

8^/10

defense_evasion
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral22
- Target
  
  $TEMP/tftp.exe
- Size
  
  95KB
- MD5
  
  461ed9a62b59cf0436ab6cee3c60fe85
- SHA1
  
  3f41a2796cc993a1d2196d1973f2cd1990a8c505
- SHA256
  
  40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d
- SHA512
  
  5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef
- SSDEEP
  
  1536:TZUlmkDwItbItNwDXIGE5IzBDMDaoQBMJrGIZUn7:9ULDBBIoXvOqBBAUn7
Score

10^/10

discovery
- Contacts a large (1045) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
behavioral23