General

  • Target

    AOMEI FoneBackup.zip

  • Size

    1.6MB

  • Sample

    241224-b6nyzsyjev

  • MD5

    d1808cd3253ae134121f185983e01fde

  • SHA1

    e8b0b82b947a39f5be5bead15160a210295bb8ad

  • SHA256

    b3cecae5cc4b1093b004f2ce0bffa048f8076ee1c57ad7b142d0e76ded9b0a24

  • SHA512

    abc768cc788b71a43963032dc2ea91069a85cade55cbe4da9b7096344349f8afb2d611797194541fd8443e2aca9126e87663cdf42bee2488a7b29fc111fe37e5

  • SSDEEP

    49152:t6xmIXu/HEAhWgl1h8ettul7VtQ1jj6jejX1eJJ3Rq:t6sPHEAhWgl1yett+7HQ1jj8Yler3Q

Malware Config

Targets

    • Target

      AOMEI FoneBackup/FoneBackupSetup_installer.exe

    • Size

      1.9MB

    • MD5

      b909e74fadec9c95f37e67e03fc2353b

    • SHA1

      5109c8ae9f663b6dfdc3bd6499cf51142195703c

    • SHA256

      dba0f608b96363fab6d5e02f814d223fe8f518d9eb51d2feec38582df2554384

    • SHA512

      3c9cc9930163168a95435e3800135bb66a6b701615dc6cda1cf86cfb5a18621307dba1387aa76c9b6e74d531e5890086f2c77a0e289f51112c29adf41d796f42

    • SSDEEP

      49152:MgQqq8B6xO5um29MK4Ry7hBPKJMKtnqvWrlN:MJ8B6xOk546PM3nqvsH

    • Detected Egregor ransomware

    • Egregor Ransomware

      Variant of the Sekhmet ransomware first seen in September 2020.

    • Egregor family

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks