Extracted

• • Target

    2024年河北移动冬日取暖.exe

  • Size

    57KB

  • MD5

    ab0662588da7d3bbbaf43874ea006402

  • SHA1

    fd69c29b50fac7ba5798d7cfee3715f71a0f144a

  • SHA256

    273ba908b18101dc030ee3e6efbe2111ccbfaf76e029f5abe4b7748fa4a8274c

  • SHA512

    08a264129bf85cac44d48863cb8bbafb94bbcff2c9bf858527a2ea971c5dfd49bc28fe1673c08e607f48d121eff6e7ad7566701cb17175a49fc7edc172c5c570

  • SSDEEP

    1536:TpyK/fPL+fq1ZqQtIZhaG9qCL/EgvBNDtb+:Tb/fPH1ZqQtIZhaqfZ51B+

  Score

  10^/10

  cobaltstrikebackdoortrojan

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike

  • Cobaltstrike family

    cobaltstrike
  behavioral1behavioral2

• • Target

    b286a5a36ab9f02b8c2b6b57d2282f0b.exe

  • Size

    21.0MB

  • MD5

    b286a5a36ab9f02b8c2b6b57d2282f0b

  • SHA1

    646560f8be01066d2b2ded465fc272fbd318c0c5

  • SHA256

    8baa66ade6cb8c14841a51e97bfda8836ca0e387009c96c075984b11476ee1ab

  • SHA512

    e5994f11f566e30fb880bacba629674f00af0bfeac24c789e9eefebc11dc4b3eea3465bbe1a15adb4a3e42b8d9622965bdaac02e7b15ecbf8a028dfc9ac161ef

  • SSDEEP

    393216:qRbyUI273CAabyUI273CAmwGHgVDonQaNkhWtIZanwwU+fSJsv6tWKFdu9Cs:qRbNIgyAabNIgyAmwKMl+f

  Score

  5^/10

  • Suspicious use of SetThreadContext

  behavioral3behavioral4

• • Target

    content_1730298613069.scr

  • Size

    248KB

  • MD5

    dc38da17b0f0cc99f4831aba153bb28b

  • SHA1

    b756ef1b0369e0822ed248363ae6c577d53a7834

  • SHA256

    62856958c7571eacf182e9b38f59189d7681ac39513fe3d3778f4b0be4e6ede1

  • SHA512

    2c5349b9555c7ddaa300652173eef422fdcfbe464b8f8fca9e2ac53088d860eb996c763506d8ca1fef9ae9a0fb4d9574c6faf164050deb8f27646607f1699f8c

  • SSDEEP

    3072:whLXC/6ZxsIDrok7gJWyzebqkqNKktNXBPmaoTZ2xZS21+GCI2ekEbkAsH3mYBoj:whL46Z6IDvgJM5QmahxZS2EGCtr3X7F

  Score

  10^/10

  gh0stratpurplefoxdiscoveryratrootkittrojan

  • Detect PurpleFox Rootkit

    Detect PurpleFox Rootkit.

    rootkit

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • Gh0strat family

    gh0strat

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox

  • Purplefox family

    purplefox

  • Downloads MZ/PE file

  behavioral5behavioral6

• • Target

    uninst.exe

  • Size

    4.5MB

  • MD5

    fa31a70b20d5d1666ddd40cf3305e334

  • SHA1

    530a9bc75d351810f8e4690a7041339ce255bbe0

  • SHA256

    b2d659ecaaa662f6366cbbef01ea76506632a95d169e6d06dca7fd6452608c94

  • SHA512

    5cfe701112133127ac73a302ac9a1ce3f1f6da42d60fffed1007f9931cb47bcd6d0d5557a25faaecf1c692d1f70916cc6c1136619703f9c71c171663377b9fa0

  • SSDEEP

    49152:1z6XIrSYssIOfbCcWYLdNBpQkdmTlrg12d8xfMHFnJgxy5CVB0cEWxPZ/xHdbrsi:1+Pc2Q2d6Ml6xBB0nWxPZDuJWP

  Score

  8^/10

  discoverypersistence

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext

  behavioral7behavioral8

• • Target

    《融通集团员工个人身份信息泄露处置手册》.exe

  • Size

    580KB

  • MD5

    fa8a22d532ee0ff8db83548bfccd0d9a

  • SHA1

    004f4c8c6d0752cc21c24b06910eaa08c4826b4d

  • SHA256

    9de1fdaea4b1b503b1c19bcfcd6c32bb94def201826446188a4d77c3c336ce0e

  • SHA512

    9d660e2d63080dc1e3471591c90ad3725a719da122f886223c755b6966d9d05d8755062a21372124e97037cb4d4bc7981294e689f70782370ca911ab6aab6375

  • SSDEEP

    6144:Csshx1CyRdtxCvpKx/4zVePPFIdfS4ylDg2SIpLMPJri+QNicsk:CplxCQwVeHxS2SOqri+Qgbk

  Score

  1^/10
  behavioral10behavioral9