General
-
Target
258165aeb0b5a51007f905db642a43310a374d9d973603f6576455d25d13372d
-
Size
88KB
-
Sample
241119-xn9nmavpdl
-
MD5
7d7c66d9e861569a0a79051dd5ea3e82
-
SHA1
11a28b173b00611c0e603ea3af2655fe1fd7fafb
-
SHA256
258165aeb0b5a51007f905db642a43310a374d9d973603f6576455d25d13372d
-
SHA512
bfec0d6826174849625eaa28b3eb698f4d5ad94edd42e2fe47d3876d80ded09f2041f304506aaa555ffc1069374e10fac080d24156829c6c321817700eabf8d6
-
SSDEEP
1536:1yehv7q2Pjx45uoDGTj+5xtekEvi8/dgG8EsAeE9jbDXQMcAkWvgrPE4nWHPNc2C:1yehv7q2Pjx45uoDGTj+5xtekEvi8/dw
Malware Config
Extracted
http://boardingschoolsoftware.com/backup/VC7WK/
http://towardsun.net/admin/O29Fja/
http://47.244.189.73/well-known/cwxgmEZsYIT/
http://centrobilinguelospinos.com/wp-admin/AivCY/
http://qqziyuanwang.com/wp-includes/KtXrm5GwJ/
https://www.swaong.com/b/SVSAPzeDU657xJdmJv/
https://trasix.com/wp-admin/FzpdyUrlGt/
https://marineboyrecords.com/font-awesome/t37LOj/
https://edgetactical.ritabilisim.com/admin/NbjDzEeNJ/
http://cairm.xyz/backup_1/mQPAhJhpV/
http://vrstar-park.com/wp-includes/0bAm9feNorwTmVrj/
https://panaderialaimperial.com/wp-includes/Oi0guE0CQbyBJVg/
Targets
-
-
Target
258165aeb0b5a51007f905db642a43310a374d9d973603f6576455d25d13372d
-
Size
88KB
-
MD5
7d7c66d9e861569a0a79051dd5ea3e82
-
SHA1
11a28b173b00611c0e603ea3af2655fe1fd7fafb
-
SHA256
258165aeb0b5a51007f905db642a43310a374d9d973603f6576455d25d13372d
-
SHA512
bfec0d6826174849625eaa28b3eb698f4d5ad94edd42e2fe47d3876d80ded09f2041f304506aaa555ffc1069374e10fac080d24156829c6c321817700eabf8d6
-
SSDEEP
1536:1yehv7q2Pjx45uoDGTj+5xtekEvi8/dgG8EsAeE9jbDXQMcAkWvgrPE4nWHPNc2C:1yehv7q2Pjx45uoDGTj+5xtekEvi8/dw
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-