General
-
Target
PO-841122676_g787.exe
-
Size
815KB
-
Sample
241121-nfph2s1drb
-
MD5
6b7093af6319bf22ea0c754d7ab45f07
-
SHA1
9991892f77775419815c4953e633b355d51255f7
-
SHA256
1f46960237d1e664022f16446eef5388ac465958872a46dd5590c5dd8279a199
-
SHA512
b380818195d50b6ea569c76c95baf06bc51c94a02980818cd1639b6e2b2f9f7dee430dfdded1a73f934c6954a08d68631c86eaa044beca3b677b710655130e96
-
SSDEEP
12288:l7TL7whZeyDqdTuV/uFivUaiXUS0vlP9Ia8GIbPYkAdwvLRPC6Oe73MFc0:9/6eyQK/oBUS6IacPYkAevLRPJyr
Malware Config
Targets
-
-
Target
PO-841122676_g787.exe
-
Size
815KB
-
MD5
6b7093af6319bf22ea0c754d7ab45f07
-
SHA1
9991892f77775419815c4953e633b355d51255f7
-
SHA256
1f46960237d1e664022f16446eef5388ac465958872a46dd5590c5dd8279a199
-
SHA512
b380818195d50b6ea569c76c95baf06bc51c94a02980818cd1639b6e2b2f9f7dee430dfdded1a73f934c6954a08d68631c86eaa044beca3b677b710655130e96
-
SSDEEP
12288:l7TL7whZeyDqdTuV/uFivUaiXUS0vlP9Ia8GIbPYkAdwvLRPC6Oe73MFc0:9/6eyQK/oBUS6IacPYkAevLRPJyr
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles
-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-