3f02410281c8e454be1e326c2817f006806d6e5d89948207203b7ee64f940d7f

General

Target

8825e4591cadaec1fb1d0082f84c2398.bin
Size

2KB
Sample

241122-btr5wa1nev
MD5

32fab4cba227cc61cd4319a72bccb376
SHA1

fbd0426411b400f09f80a42b965db7ec702ddbb3
SHA256

3f02410281c8e454be1e326c2817f006806d6e5d89948207203b7ee64f940d7f
SHA512

dd8de6022b2fdd58eff09901b419531f1d9ef17af45705f89ef780d6c719260277e9a5062a8e5e1df76a8b9a6ebb7b6338f327716591a9fe54a116eb6077223e

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Targets

- Target
  
  61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa.vbs
- Size
  
  12KB
- MD5
  
  8825e4591cadaec1fb1d0082f84c2398
- SHA1
  
  39fca0a522686f7b9b2b9dc5e5874aebcf231159
- SHA256
  
  61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa
- SHA512
  
  d5b9c70136aaef8ca9aa1dfb32225632b69de90310ba4f9dcf35567ed58cfd6da8a6fbede4714a19ff41310af0e04bc54c7c6a95060840918efc5a31893fa2c9
- SSDEEP
  
  96:J86ymyaynXnLbv+mfupmtsgOgjAC9LFgtYif8fTFsgH2vX5bUdnL7vcumuZ4Y5Wx:JttRS/GpqDzj1eUhDH2Rb8RX1GHRkfkx
Score

10^/10

discovery execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2