General

  • Target

    Virus

  • Size

    227KB

  • Sample

    250121-zfn33azldx

  • MD5

    736aa3d94f87b461577f0e6f2b353786

  • SHA1

    d2535b35aec6866eb78e7b35c89a36bb52c4af00

  • SHA256

    d40967c986339d301ca4ef9e297cf820aaa9e6ce656bb84ce11db77041c43f2a

  • SHA512

    846dd2af458bb91e4c332a7a012e011d0960d288e4b5f778ab0d2bc9dcb5204d1ec737df6de1e7f9c883881142d0484e8f28b57f15ef718c91622bf5e23d436b

  • SSDEEP

    6144:NgNFDpOL/saqkPV9FH2LtcIDSsmwH9ZvZJT3CqbMrhryf65NRPaCieMjAkvCJv1T:KNFDpOL/saqkPV9FH2LtcIDSsmwH9Zvi

Malware Config

Targets

    • Target

      Virus

    • Size

      227KB

    • MD5

      736aa3d94f87b461577f0e6f2b353786

    • SHA1

      d2535b35aec6866eb78e7b35c89a36bb52c4af00

    • SHA256

      d40967c986339d301ca4ef9e297cf820aaa9e6ce656bb84ce11db77041c43f2a

    • SHA512

      846dd2af458bb91e4c332a7a012e011d0960d288e4b5f778ab0d2bc9dcb5204d1ec737df6de1e7f9c883881142d0484e8f28b57f15ef718c91622bf5e23d436b

    • SSDEEP

      6144:NgNFDpOL/saqkPV9FH2LtcIDSsmwH9ZvZJT3CqbMrhryf65NRPaCieMjAkvCJv1T:KNFDpOL/saqkPV9FH2LtcIDSsmwH9Zvi

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks