General
-
Target
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
-
Size
169KB
-
Sample
241029-x9rd6sxmdv
-
MD5
fc505b7730fbbdead6d352aba01d6a18
-
SHA1
aa28e00c57c2a9a8638c777bb90f1f1528d359bb
-
SHA256
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
-
SHA512
7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d
-
SSDEEP
3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe
Behavioral task
behavioral1
Sample
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
nightingale
https://api.telegram.org/bot6884699661:AAGPbkqESYn7iH7c6q7YuTlciwwO2tHQev0/sendDocument
Targets
-
-
Target
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
-
Size
169KB
-
MD5
fc505b7730fbbdead6d352aba01d6a18
-
SHA1
aa28e00c57c2a9a8638c777bb90f1f1528d359bb
-
SHA256
3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
-
SHA512
7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d
-
SSDEEP
3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe
-
Nightingale family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-