General

  • Target

    IMG_0135.jpeg

  • Size

    25KB

  • Sample

    250113-vtbmnssncj

  • MD5

    5a7ba4c88dca5b5f90df79920d166be1

  • SHA1

    a5a72199e36681754c7446e3bc1ad907acd7a4c4

  • SHA256

    144cc427138c1e7cad556b31377bbab933a490b595091d239e4d9b3d414893f7

  • SHA512

    c928826024e4e498aa7e362dab55a16c86d04453bf262586ec4c149ee8d86f5e4b7a717806b0387682d6dc5fde97a1bb0fc82e165d56af6f02009438055ab861

  • SSDEEP

    768:Z8PI2KvWFIFoFYFgsLITWcDdz8sncaY6dy+TcVj0vjz:ZZymgYFgaZcDpdncaxA63

Malware Config

Targets

    • Target

      IMG_0135.jpeg

    • Size

      25KB

    • MD5

      5a7ba4c88dca5b5f90df79920d166be1

    • SHA1

      a5a72199e36681754c7446e3bc1ad907acd7a4c4

    • SHA256

      144cc427138c1e7cad556b31377bbab933a490b595091d239e4d9b3d414893f7

    • SHA512

      c928826024e4e498aa7e362dab55a16c86d04453bf262586ec4c149ee8d86f5e4b7a717806b0387682d6dc5fde97a1bb0fc82e165d56af6f02009438055ab861

    • SSDEEP

      768:Z8PI2KvWFIFoFYFgsLITWcDdz8sncaY6dy+TcVj0vjz:ZZymgYFgaZcDpdncaxA63

    • UAC bypass

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks