Resubmissions

29/04/2025, 13:05

250429-qbv65syxcx 10

25/04/2025, 13:44

250425-q1x22axmt4 10

General

  • Target

    2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c.zip

  • Size

    100KB

  • Sample

    250425-q1x22axmt4

  • MD5

    91be7f5d1087d80fef723f5bf2411e1b

  • SHA1

    f4441e966869314e30e79f85a0a03b9216ae2eb3

  • SHA256

    77be13bdcebe3c287d776bcaa17baabb8e6733fd3f9b4936ed1b16a5e70f9864

  • SHA512

    f96285537e605307636e468f2fec314bebf60613adfe3135062c2e032a457081eeece9e635f3999c23aaaf6d58085eaa0760764153902b3e11004b78e2c8ce2a

  • SSDEEP

    3072:sxSZBkZS0yfy5yv2j9eAiv7Gx467voBNJuwzOO:ESZBkkZ89ejh67vwNJuW

Malware Config

Targets

    • Target

      2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c.zip

    • Size

      100KB

    • MD5

      91be7f5d1087d80fef723f5bf2411e1b

    • SHA1

      f4441e966869314e30e79f85a0a03b9216ae2eb3

    • SHA256

      77be13bdcebe3c287d776bcaa17baabb8e6733fd3f9b4936ed1b16a5e70f9864

    • SHA512

      f96285537e605307636e468f2fec314bebf60613adfe3135062c2e032a457081eeece9e635f3999c23aaaf6d58085eaa0760764153902b3e11004b78e2c8ce2a

    • SSDEEP

      3072:sxSZBkZS0yfy5yv2j9eAiv7Gx467voBNJuwzOO:ESZBkkZ89ejh67vwNJuW

    Score
    1/10
    • Target

      2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c.exe

    • Size

      153KB

    • MD5

      41050b2b9f619cdd9916e3bdd5b9f2f9

    • SHA1

      4238bb0dbb97c3bcd11cfba3ea2614d72c85c4bd

    • SHA256

      2c9bb93dc2c9f841e58db43ba7dedd490cf7e0fd9e66c4b56a888e25e93a510c

    • SHA512

      1acda6c30b127e619f980720e846804055d795f79dc5f9645bbde4520b988fac1a3c34d3c9a12d002a72b36de05ce67f8bdaff4e93a4e32321261254ad96e00b

    • SSDEEP

      3072:H6glyuxE4GsUPnliByocWepjLW9lyNX0bzEvH32Qv:H6gDBGpvEByocWedq/VzFG

    • Renames multiple (7639) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v16

Tasks