General
-
Target
PO PRF-TR-2023-0001.Tar
-
Size
414KB
-
Sample
241022-qbs2sawelh
-
MD5
8cb7794f3dac113b046d69bc37c08d65
-
SHA1
19491c29709fa699c75aad9e1522a50366395f2e
-
SHA256
3aae124eceda655dd6298323abad2fd571cdf580a22ba11921c2d0b45038f406
-
SHA512
e814f5402df258b2dd6c0e5d792a4efceff2a0b6fe6223d3529fea2f01e875e4b158eac54421b060fc4d6b7ed3520b89830e2bb182ef33e24255f53c8b60f7b9
-
SSDEEP
12288:6K/31MvR8TVO93usG80Q+55Jkn1YeczzGqThAEXmo5nWu:P31MJX3nGXQ+NaYtNln2o5h
Static task
static1
Behavioral task
behavioral1
Sample
PO PRF-TR-2023-0001.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PO PRF-TR-2023-0001.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Krcdanwiedyoqk.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Krcdanwiedyoqk.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
PO PRF-TR-2023-0001.Tar
-
Size
414KB
-
MD5
8cb7794f3dac113b046d69bc37c08d65
-
SHA1
19491c29709fa699c75aad9e1522a50366395f2e
-
SHA256
3aae124eceda655dd6298323abad2fd571cdf580a22ba11921c2d0b45038f406
-
SHA512
e814f5402df258b2dd6c0e5d792a4efceff2a0b6fe6223d3529fea2f01e875e4b158eac54421b060fc4d6b7ed3520b89830e2bb182ef33e24255f53c8b60f7b9
-
SSDEEP
12288:6K/31MvR8TVO93usG80Q+55Jkn1YeczzGqThAEXmo5nWu:P31MJX3nGXQ+NaYtNln2o5h
Score1/10 -
-
-
Target
Krcdanwiedyoqk.exe
-
Size
1.1MB
-
MD5
da449c2d60fe9adb096242dd71db10c8
-
SHA1
55276aa1b212c91e997d70deac1595528234fc96
-
SHA256
57a211664560494ee01af527f281a3fcc9727c15c322122d283e5213a11ab3d3
-
SHA512
1c20999f7295b4c38af4c48dfe34b6738522028a984e0df1f9375212700f6297c69c4e154352b90fd0dce30bda07a54d155a76c9475acd35e7962eba6b458b34
-
SSDEEP
24576:rCtVqnbUQ25Qm2XzuiYcx3RqrPBzKRfuHpEqiyu5T5:rkabmuYc3qrWyuv
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1