Overview
overview
10Static
static
10PL/6523.exe
windows7-x64
10PL/6523.exe
windows10-2004-x64
10PL/Galaxy.exe
windows10-2004-x64
7PL/Service.exe
windows7-x64
6PL/Service.exe
windows10-2004-x64
6PL/Une1.exe
windows10-2004-x64
7PL/pb1115.exe
windows7-x64
7PL/pb1115.exe
windows10-2004-x64
7PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
10PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
8PL/setup331.exe
windows7-x64
7PL/setup331.exe
windows10-2004-x64
7General
-
Target
548bdfcb86652c14659e019e9f838f42
-
Size
13.7MB
-
Sample
241110-fn9vyszfln
-
MD5
548bdfcb86652c14659e019e9f838f42
-
SHA1
c8a7719e5f574a0c18566216551ae6e7bdae33f3
-
SHA256
4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
-
SHA512
cc9a2611d43be920d673764d89360adc530fef88b6ed773e9236241eb2f14cec751726680a07a88abeca852873252987114e14381c1645849141b55ba6bd28af
-
SSDEEP
196608:/C7YJFaPZRe9KwX9MqDO+SSwsvAlNSzo47accS3/xm0m2nXvmdO/yguT5fR6Dma7:lg/wWqDOo0SklSm0xmdOduT5fkia8JY
Behavioral task
behavioral1
Sample
PL/6523.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PL/6523.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
PL/Galaxy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
PL/Service.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
PL/Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
PL/Une1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
PL/pb1115.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
PL/pb1115.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
PL/setup.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
PL/setup.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
PL/setup331.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
PL/setup331.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
privateloader
http://163.123.143.4/proxies.txt
http://107.182.129.251/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
163.123.143.12
-
payload_url
https://vipsofts.xyz/files/mega.bmp
Extracted
gcleaner
208.67.104.97
85.31.46.167
107.182.129.235
171.22.30.106
-
url_path
....!..../software.php
....!..../software.php
Targets
-
-
Target
PL/6523.exe
-
Size
264KB
-
MD5
b2949b2eb9db982c3782953de8a2573f
-
SHA1
34ff1afa580b8ca0c23d818f62aafe11e9e16fc2
-
SHA256
ef5b55fdd770f3c9cbd4a86cc0afe70e79d4d634bd7c88d6d48e07d5a6742dca
-
SHA512
368d9851bce5bd3aa35d41a2b64ad84f4ebe8ff7611fe4b09ca61db298ac8a5590dd11c8ca56786088c311ab7c5c83ac4da819b50cf449b50704c88b482e33d2
-
SSDEEP
6144:9+dLV/BxVCLYAXfIeyJuzbgwu70kmiHwVfU:9a5/BxsLYAXWunnsSiv
Score10/10-
Smokeloader family
-
-
-
Target
PL/Galaxy.exe
-
Size
261KB
-
MD5
637b4e8a4fbef797b42d6979b652a3db
-
SHA1
3f7c391b86c27b6414c89135d7e04d913ae151c5
-
SHA256
27b752bc4139c9c12d1caff4bef199e7a25ee6caf06eb9897cf615f9cc9c233d
-
SHA512
3099e1dde974a395529651f163f6e4e32478657b4530fa1f3d4e39adbb045c5ca3e8e51b35ab524ec0c03cdbaca37eb8a41c3d5b0f3ab96a8461b42c4a60e38f
-
SSDEEP
1536:II47GyTGCwiSnmQUt0LB1Efs5gJpoBWBtjKM4le7Qc58wsa0rc3roPhQDbTp:IvGyYiSDnt1E05m9p
Score7/10-
Executes dropped EXE
-
Adds Run key to start application
-
-
-
Target
PL/Service.exe
-
Size
400KB
-
MD5
9519c85c644869f182927d93e8e25a33
-
SHA1
eadc9026e041f7013056f80e068ecf95940ea060
-
SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
-
SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
-
SSDEEP
6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
PL/Une1.exe
-
Size
900KB
-
MD5
c340449d532642420d4bedc2e9f7ce7c
-
SHA1
6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
-
SHA256
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
-
SHA512
c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
-
SSDEEP
12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
-
-
Target
PL/pb1115.exe
-
Size
3.5MB
-
MD5
04aeaa8f06b71a72b8905da20f679b10
-
SHA1
ebfa60215fcce5a369f1b340f1232125e37f7a68
-
SHA256
55c1cbe7368ef1eafbd435a2b570f362868bd2afda1ddbe59bcbb51b7fc63383
-
SHA512
5c393a8e6b3327ece1555aa73111f67e4858898efbbe38ac757a96d91da26a83f0b130e18b6955796e76bd4300475e8eeec63171c8ef407a09069874f48d5774
-
SSDEEP
98304:l1kvho0RcPjNWqCdGujwByZm94cGZ+qOUKsE:fkZtcPjNW/GowUE9W+DUK
-
-
-
Target
PL/setup.exe
-
Size
352KB
-
MD5
ad3374b444437df5f5102ab63a45d327
-
SHA1
65302eb15520d64565e64e9cc74fdd09fbad79ef
-
SHA256
b3936ea34f4e0235a1715706b7736a6bf0999441c8c37f1f75b4250e7b9b9992
-
SHA512
0e569bd15a25649b7293b539118f77ca9920e7a835acd24b75bf6f33c3de3f7e5ddcf9675a6f174af6292f39e88cb6f380f0d1165ed0f1419de41e4348ae2463
-
SSDEEP
6144:tK/VQLDETxJSm8oMKGreTfbmBdbNB6yqpx4T50G3YilTuzbgwuds7wVfE:wNQExJjFGreDbmBNfCWdjunnp
-
Gcleaner family
-
-
-
Target
PL/setup.exe_
-
Size
7.3MB
-
MD5
8b036a5a7406f7227ac65f44e1827fca
-
SHA1
3a8499ecca8be3f69cc7163b03f3f499bbe8276f
-
SHA256
85250ca9f679cdfebe009b7d66e409b330b35d6021e84e2ef7ceb0d64acdeff1
-
SHA512
91cecf5c22bd32fe5cead41884773933b49791e57e00a369818d716dea34433bb558e9feb5b2dfc37f2b4b3488c05dcc50ef1b0f267936c2945308f2e9f32b5a
-
SSDEEP
196608:91OeU0YzI5dCR00/4+cmJ/Dwami5rf0RejcO2h4I:3OxOCClgwa70Rej2h4I
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
-
-
Target
PL/setup331.exe
-
Size
2.0MB
-
MD5
2486b7f5f41d592ec4781b54cd828f70
-
SHA1
604009984d2f335a969ab447a61beec8661a99fe
-
SHA256
aa0a01e35fe2110068e1934eb568f5d3a41abe4b73a64a045f9a9ab8e085114c
-
SHA512
116cee6490ae2b631b0457c0ae328f88df74bff3b8f2b47652366cf125d22fc910733859825ed181ae547a664c15e5358c95cdd6b874c43cc426303bfd841370
-
SSDEEP
49152:3rBfJXAEYCT6v3vX/1AkJxopk7lDiQCv3e6rNx:3rBfKEYd3v+Ioi7Rg5x
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Indirect Command Execution
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1