General

  • Target

    Nezur_Executor.zip

  • Size

    18.6MB

  • Sample

    241107-zvwfpaxqhy

  • MD5

    b464744ab9c9ebd75169f1c8639e432a

  • SHA1

    ce83cff14a367c1fc88fdf1b9aa3df2e64549d85

  • SHA256

    08975e2665243e02ad55dd53892d907554b297bc19ba2e4d11334eb67b45f3a6

  • SHA512

    37f4cd8560b480126ca38135cdac10d28e56f36ba42583b8cfbdaf6555bc656a2448c67fc715b2337e1db07d4d87ec9336e7f7ab5418bf2bb4f9a0206817beaf

  • SSDEEP

    393216:f7gYled7NfP4aahSJKqI9jE8tdBMm50uoYwQGKgyjy6KUvQPnPTpXYi:5elhAaaAUqIFuuozP1yjtvQvdR

Malware Config

Targets

    • Target

      Nezur_Executor.zip

    • Size

      18.6MB

    • MD5

      b464744ab9c9ebd75169f1c8639e432a

    • SHA1

      ce83cff14a367c1fc88fdf1b9aa3df2e64549d85

    • SHA256

      08975e2665243e02ad55dd53892d907554b297bc19ba2e4d11334eb67b45f3a6

    • SHA512

      37f4cd8560b480126ca38135cdac10d28e56f36ba42583b8cfbdaf6555bc656a2448c67fc715b2337e1db07d4d87ec9336e7f7ab5418bf2bb4f9a0206817beaf

    • SSDEEP

      393216:f7gYled7NfP4aahSJKqI9jE8tdBMm50uoYwQGKgyjy6KUvQPnPTpXYi:5elhAaaAUqIFuuozP1yjtvQvdR

    Score
    7/10
    • A potential corporate email address has been identified in the URL: [email protected]

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      Microsoft.Extensions.FileSystemGlobbing.dll

    • Size

      44KB

    • MD5

      470ad714b6cb486c3a64a918e72497a7

    • SHA1

      13583e2627ff47fa64c192d8f91e06c4472e6cda

    • SHA256

      ed0855b522f09b5a9ddbb85de62042c25e07d10044086da8620c845de41e473c

    • SHA512

      6237af61b1f592fd10692906024fc970cd41f3db971c2a869aed392ad686a904edb19dae81cc247b691a26a7e5e554affdf0853b1e29938d6cea799e20343c77

    • SSDEEP

      768:m0PO7gRE3x5o7UP04wqgYtqPRw02KO7I9Yfwbhgv5NFcEn9zT8n3:m02GE3xOwP04wqgYtm2nQY4Ngv5NFT96

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.Core.dll

    • Size

      575KB

    • MD5

      ae3a2648bf76a4dfc83d5e0dcb68f3d4

    • SHA1

      9c33e130e4f071f700321312317d0d66b2b3d8a4

    • SHA256

      8ce541fab9d6334a97b6981e2ff1a72aa7979df913e93cb5be1536de0667cc5d

    • SHA512

      8bb3dbb95386ccc5450fe0fd0853382092af8660009112646dca13f934e766b503fa7d9c1c91322326e0c9bae0df9643cbb2f101f256615a3b66e89d93e92aa5

    • SSDEEP

      12288:emV6hdWrpQ322vy+uFKcDguRFNEMFeu+imQ269pRFZNIEJdIEY0lxEIPrEIgcvLz:j/

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.Core.xml

    • Size

      611KB

    • MD5

      6c5c5290bdd2d4072d64a3f8aac6d02e

    • SHA1

      a610567951bf885e11ee5dabfd87dd1d37e4f50d

    • SHA256

      1cf4f0c0994cdb65fac609dd19755541ae109d917695dfca9c4acae08ebb850e

    • SHA512

      a77ad02fe706227712c231e7ccae084f8d74bfa490c8879117109746c3cb3bf77feb818e0de03880e03b46d22ad1b8cadd9f14fe2e69b34bc2770632a2311a48

    • SSDEEP

      12288:rV/cM0fctDZuwKxzdpeqKgan2xqfcan2NPPVeLoBWkO4am+7RufDufBSCspK2sSl:4pBYvfVO

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.WinForms.dll

    • Size

      37KB

    • MD5

      0582173917034dc688d21a0307110809

    • SHA1

      ac3ffb19925eee8edc4568b1715bf873784814c4

    • SHA256

      4921c17b3cf8225a380ab1a07682fa57fcb50dc42669a010e8acb28739f418d4

    • SHA512

      3da9b59ba73a151db587e24aea79153b607984d6a48fdce769d77b47ad72eb66c412e026363abcb096ca562a1938a260c8de4a81774bef83278e117ef4b79984

    • SSDEEP

      768:fHNav/17oaKzbvttZDgcEST3p4Jjrjh2jJ+SG2au8vxJKia5/Zi/ZG4Kju6b+5ol:1avYvttZDgcEST3p4JjrjaJ+SG2au4xo

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.WinForms.xml

    • Size

      40KB

    • MD5

      c09409aac254f17c1c648e6f0464b035

    • SHA1

      22acb08e12e6ccbc4005c393e78d78be4f64b28e

    • SHA256

      4b40e49aec5dbda597224f997d57a16645ddc2eb00f31a6329204d1853a2245a

    • SHA512

      53c46df0f24cafcd81ddedd195bae8dbedef7dd1387691a3ebf856b4dd239c3859fb58a1eaa9a31baa1fbb6e1986270ce567f3e70d110d1d88817f27c8a0dd5a

    • SSDEEP

      768:3OsdyK4aSPgPxW3uyCG4yCGdryCG/L+GZiyCGRL+P1xb9zU4QPgcRJFXCfPgKehG:3OsdyTaSPg5W3uyf4yfdryf/LzZiyfRI

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.Wpf.dll

    • Size

      81KB

    • MD5

      c7984acb66b1dd21f9f88113f7f295be

    • SHA1

      4d6cc744c3ce66a79f5fe05913909919b6042d28

    • SHA256

      d90b35a7804412550364088d8dd0402422d1ba23c8f0b2a845c043d032dc0304

    • SHA512

      364fced6b4e3abb8dd40c49380aec218da394f485a1eb5c8f82d994d1fbcd7e08616e306fb06f8d0b198ec2ff7f0f580b8fd6d4586da4414d5ba237c5595e99c

    • SSDEEP

      1536:6VzQfLOHAjUIOL3VwnhZ8fYSDHf9WyER30mpc4Jjr4YeUq9GhVU0o2zQvUuakWUp:Wcfyg4IjhZ8TDHf9c30mpc4Jjr4YeUqT

    Score
    1/10
    • Target

      Microsoft.Web.WebView2.Wpf.xml

    • Size

      139KB

    • MD5

      97ea2301be18aefade073d39302154d0

    • SHA1

      30f83ae731adcc4e79598c2c21644cf02b909928

    • SHA256

      e088d2b21902cb8479f782f327925f9e3281b7ee8406966735dd932e5a58e3a9

    • SHA512

      92a6ce81f5b3f4c7779bb9589d7b6548bbfde0e2ad59d1f31d190c9c75ef95e1dc31a9c763eb11fa62803d997b6af79f4f6e56dd31e3bdff8d0ba4f84c570e5e

    • SSDEEP

      3072:xOsSyTa4PgfmLC4uyD/D4yDC4dryDJtLryDnLfryDYO/LPm8RLP9R3Ly1vb9QUX7:xOsSyTa4PgfmLC4uyD/D4yDC4dryDJtY

    Score
    1/10
    • Target

      Nezur.dll

    • Size

      15.2MB

    • MD5

      79b4048105f34e39143b5ec9cbbb754c

    • SHA1

      270edf0a5d5e5801171435b5f8c813cbac3ebc20

    • SHA256

      9a2601c7d10b7fb896429cc13ca6961f29dfc594b6eb1d4f7bebd36d4513a6d7

    • SHA512

      e148df038131a5a4fece47c22286d0c5638e21019213d4c840abf277a23456422873a4ba5535f926ffb4bb12771393d8316306709f2cfb0354e4b2c9cbf44c4e

    • SSDEEP

      393216:2EI9J9jTykIBEJy66FfEGdDS7OVIkXPqgK1SLoj:2t1mkIWg66LDS7UIkX/wSE

    Score
    7/10
    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Nezur_Interface.deps.json

    • Size

      3KB

    • MD5

      34c45d78bdd90b1b2bd1d05d715c2849

    • SHA1

      d84c1a72c1308ded0885659cc99a4d62a868d3af

    • SHA256

      ee0cf1308dd91eba2003d31e886b88258f9f9943f9a778ae81b358dd9fded546

    • SHA512

      f6bd271a8e7d240cdb6b4d1e118e81257b0a656285db66ea2c065c86a0c2615559dc753c1bf21e8423f2664d7d960aef4d19771456187e4688c922d654b67a5b

    Score
    3/10
    • Target

      Nezur_Interface.dll

    • Size

      6.4MB

    • MD5

      5e975740e102716f97f71abeaf5dcf62

    • SHA1

      d57a5e40cb351eb739cffd24a6855ab21654063f

    • SHA256

      f07c2a215d43e783f096810a3a89cdd8c3cd99b56c774e7cdb5ab399cc73bd36

    • SHA512

      dd1ed65c09c6ae815b174b1eea0817f155bbf7541fc48aa0e63c51358a8b3948474e956adf1c6ec3713c49b524402603193a7bd8cb03710175e65b0b3b226d6e

    • SSDEEP

      98304:AQuiXvqdeO4pbZVj9JPgBzjYz067yqu/mnFQOi33nFbO4KSgPTPgS8NAvKBUuYJg:ARiSZO9S2fasv+Bpt

    Score
    1/10
    • Target

      Nezur_Interface.exe

    • Size

      154KB

    • MD5

      7e7adfc3bdd9b766fb15521dc6b00f25

    • SHA1

      ad6abf2d4dc87ae133be0aa8f2e77dc098ae8f8a

    • SHA256

      3e08f027849d86c17909b507b25df78521afe175bcf30424f70ccabbfdf7665f

    • SHA512

      29b33965f5a0b095b3fe8c16c88015584c62067fe3d78da4e4ec131d42918450dbec71e63bf7ba8917c531a4adccf8c0badf8c043523d959d964186789c01fab

    • SSDEEP

      3072:WAi4pxpEHmAdx4/kyHRZa0YiRAl278IVn2JbS1cJa8lWjfl:WAi4pxpRkyHRZa0Gl278IVNc0cWD

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      Nezur_Interface.runtimeconfig.json

    • Size

      458B

    • MD5

      07b9a30265ca4e69c7016a1b6e3ffc27

    • SHA1

      3a4af82a2695b1423aedd8b60a5c86793c011b02

    • SHA256

      c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

    • SHA512

      efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

    Score
    3/10
    • Target

      runtimes/win-arm64/native/WebView2Loader.dll

    • Size

      136KB

    • MD5

      232e9d314b9bb9e677b1d79c7dc54e44

    • SHA1

      5ad36b7a527acd76e7f5414459ba61ea319bd120

    • SHA256

      dbd30934e8fb2706722a2b874719d62cbed47b1e473e3f684a66648e91f93def

    • SHA512

      504230199dea2c72c47374240a6ef66fc648208bb5f01520d057dbdf13fb04f3508e1edfc2f2db3d6b8f7321d0d150d9192b7a20a4465b702b10126e1a2861be

    • SSDEEP

      3072:rwe4zkOpEbtYRLMPM6OSRTA0gWEtJW9VDX4B2TX:UeEkOebMqgWEtJiVDX5b

    Score
    1/10
    • Target

      runtimes/win-x64/native/WebView2Loader.dll

    • Size

      161KB

    • MD5

      3fac859547077abafe806ff1e4709f47

    • SHA1

      0366df220c5d224ee64a42c929574407d2e6d2c9

    • SHA256

      f4d811cda483adb33220c5a856c5ec8dca3a095fde54b44f08e1279a6a5efd33

    • SHA512

      9b7b7aabf6bdc11dfd74430336e02d7d2b96b6bbf352f1e2d158a4900bead364900820af56cf9af25366ff5704e2ffcc2458d45dc3efe00ebd0843d127ab7435

    • SSDEEP

      3072:JX1/Z3TlTRTFOYfThTNTvDbS2bT4wdovPEKdIMsb1Z5AalipT3YEtJ5+PON2Yo:JDTlTRTFOYfThTNTvDhvZkPEKdI7pxEG

    Score
    1/10
    • Target

      runtimes/win-x86/native/WebView2Loader.dll

    • Size

      113KB

    • MD5

      999f67ef1a2d06beeaf85ec9b5d5d73d

    • SHA1

      644b1768f8675b29fb53a51edb5d344fdf55946c

    • SHA256

      4c24ade2c2a4cf652529fdf4259743fec824c628bdc056fc5c76c29e30e7c06c

    • SHA512

      6399fda1c54bd26ce82b7d48ac1b7c9741d5abf68a67bd62ec53ea2a1f82caac2e9bfdb1cb22f5af3c8ca6f4789a888f6519e02941f6c33f6f9d3b0e58eb56f4

    • SSDEEP

      3072:OnbFYqJx7sXRq2KVs9iiamgqeNZPTj7EtJlAlHJcgf4fm9pS:OZYqJx4gkYiavEtJe9f2mbS

    Score
    3/10
    • Target

      workspace/vape/CustomModules/cachechecked.txt

    • Size

      8B

    • MD5

      723aa82a83c278d5e7e7be9b109b406a

    • SHA1

      ec734b651574683f36974c7f12847fbbe084dbe2

    • SHA256

      1c34f88707b55e6104c4eb20e71ffa3d33e414b71ef689a15fad0640d0ac58cb

    • SHA512

      4531c2506478afd163726a5d6ffd8c64c24819545d906526aa749361e634556595d3b0f6b606c2bfd069e4938168d7cde18c60ea44475e339707472729eff10d

    Score
    1/10
    • Target

      workspace/vape/GuiLibrary.lua

    • Size

      319KB

    • MD5

      ac1cee0caefeed479df85604e69873c6

    • SHA1

      204e0f0793fd1e707d06d957c57b7a4c6fa471fa

    • SHA256

      0521f91ffdfd8906464a0b79300b999335edb2f3cdb902093a2dfb25edf7beb1

    • SHA512

      c1793b507653f37ff2bb8abf8d212fda57edd738bdb0cc84196e7d7d064069b07d7b47a95ca6f8ec6db8bf9a39a4d0b6465a12133f9c3be04887dc1687ad7154

    • SSDEEP

      3072:6fmwRHjS0ObMPjVw+usbpNpz4hXwz5Ts45FjKbnFNMDnlaAXiUk81r89k:6fJhus5OAmhyfhwk

    Score
    3/10
    • Target

      workspace/vape/MainScript.lua

    • Size

      83KB

    • MD5

      4e3739d68f5985ab3797ab33e0975cdd

    • SHA1

      7c37faf5a8643a5190ba286b630c9d3fe5bf32af

    • SHA256

      3befe40113dd767799be851b50d23a56923ea296d2b50b3051a5764e18bd5641

    • SHA512

      679faf5fa0f189eef742360cd5efecc429760544a0a6002fab8ea66d04c59202113ca1df804cc50af2adb9dba5ce94407ff22f0f1e7074d3d2ff8f703b5d5d9e

    • SSDEEP

      768:aABxHBr9wodvBHW50nmXsWjk1jpVxjfjTIkjblSBd4UN6j0jo/QIIj8j8jLzYvDj:zh9lNDZL3QwxBXpEJxrSCNhPKydZlM

    Score
    3/10
    • Target

      workspace/vape/assets/CombatIcon.png

    • Size

      512B

    • MD5

      26720182fb0f30f66b67e78a4922af8c

    • SHA1

      a50b0d57b52b4dc2857ba4ebf2c034e57eefe493

    • SHA256

      1a3e49bf0f934d6cee40f65e0cf0882d0872135986fe74516ae165e3f8f33cc3

    • SHA512

      5046e21820cbc8bc0c2a46c78b17c2a306ec041f6503b933c910f52076d1ba7fc1ef9fc3ea70968a83d155a906b7dc8bb05ee996ad4c49112b3150120e2d256d

    Score
    3/10
    • Target

      workspace/vape/assets/ExitIcon1.png

    • Size

      249B

    • MD5

      eb3204e13f369b95bccfa5db3d32db1f

    • SHA1

      12afafcb17817408ed45a293e903d8671eab7ca1

    • SHA256

      9b39ab3b9031779a962bc1af579a18a90e053be7089cde05c999b3e09cded918

    • SHA512

      682a84e527ddba5552e1d7dcb8823fe28639478a71a8dbfd987d84ba9eceb417262efa55862c9d24489f50d3fbe73b5343b74d1d57a8a24234f1b131e1865d38

    Score
    3/10
    • Target

      workspace/vape/assets/LegitModeIcon.png

    • Size

      672B

    • MD5

      8ae6b4ffd619fda4c0c3f8ad98850f9b

    • SHA1

      b3c9364fce5f4cdcdc8e119449f57b5c3881b56e

    • SHA256

      fef65a5d4178bed3f2ae1c7665f0d0171fa642ec66b20da5d55447dacb450190

    • SHA512

      417848798890042383adf55fd38fdb65cf5a23754383a1fd3a006cd820cca83059117d7039de47cc0d1fe18363697a445ccd69b8a8e245022d7f291845ebb73a

    Score
    3/10
    • Target

      workspace/vape/assets/ProfilesIcon.png

    • Size

      234B

    • MD5

      721aff9193f694508175cf2d9ae639d5

    • SHA1

      c8c5cab62e3ed09888faadd42004130c0efded88

    • SHA256

      b012940b4cae0a3a42085db57b93b47477e74dbf5c9a1fa514790ef6952bdd8d

    • SHA512

      374a122396fba35e8e614c417e6d3b72e459efbe47517113f138b22f16bcf327210b00eeba2bc275d9e8ac5f0b6fbc4158367e744ff5471ea8ab9bf4e89fc1be

    Score
    3/10
    • Target

      workspace/vape/assets/SearchBarIcon.png

    • Size

      347B

    • MD5

      206711a0eaf3a7be618768e55440b9ed

    • SHA1

      41a6b7ddbaec2cb8655985bdcc6470097c95cb12

    • SHA256

      987c1ffb69db7a05a1ac4c64b5700b2a5486220e43c00d4d712d135eb0fb9ed6

    • SHA512

      a17424fd4a718a1e781f2da6b3f479b4c2481df0b646c7e32c631dd9aa7607a40e5fd623b62405e37d1c8ba7f7b4574867ca2ef42f454928610959ed1ff73195

    Score
    3/10
    • Target

      workspace/vape/assets/VapeLogo1.png

    • Size

      1KB

    • MD5

      83606af2dc3d2c3952d28f6da6018a91

    • SHA1

      095ba710570fcbf6e011511e1e204ea93fd98f8a

    • SHA256

      8371de108f94e4a335c8c0ec244689f498fd0f1e3fb9d7035031cec7608017fc

    • SHA512

      90868e64c0b7932657fe407b8d8f071fd844fa9e800a74396f5109ded5a7252e9da2f59dda0dcaa8ab0dbb99aa9acb29a9a8659212756f38b901e01d9b09e8c5

    Score
    3/10
    • Target

      workspace/vape/assets/WindowBlur.png

    • Size

      908B

    • MD5

      f9d48f5187f1106a4eb7093c75ca15c8

    • SHA1

      caace7f5c032a3fbc4a7b95b0335b78d1263d320

    • SHA256

      f35b4046675002faf92d2df11139c210cd249296a14367c32981f82c30067ee3

    • SHA512

      7337774346dadac714c0f2a991b6b4f8677d9accf96faea611bf8f934ed7fa352c7016f591ec56bc4e69a9520953e87d5dc29e903912fbd180cbae7386140464

    Score
    3/10
    • Target

      workspace/vape/assetsversion.txt

    • Size

      2B

    • MD5

      1f0e3dad99908345f7439f8ffabdffc4

    • SHA1

      b3f0c7f6bb763af1be91d9e74eabfeb199dc1f1f

    • SHA256

      9400f1b21cb527d7fa3d3eabba93557a18ebe7a2ca4e471cfe5e4c5b4ca7f767

    • SHA512

      8d89aa701de5a35b24cfadbd2088986ae13311d1a7c63abe5c780c62bc939a0577c3a78cf7ee4951c1b09f6849074c21ca1f7023e89bee683c1dbb2134a984d0

    Score
    1/10
    • Target

      workspace/vape/commithash.txt

    • Size

      4B

    • MD5

      fad58de7366495db4650cfefac2fcd61

    • SHA1

      b28b7af69320201d1cf206ebf28373980add1451

    • SHA256

      0d6e4079e36703ebd37c00722f5891d28b0e2811dc114b129215123adcce3605

    • SHA512

      5ca8ba3764af4e7b381acca531ffbe5f7338d715cc20510eb6276104713271e3e33162da40710145237a58f87d01b565ef6525c3c3649e34261096662628364e

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks