General
-
Target
f5c5f4572e0dc9f3c210a636885c1e4b.bin
-
Size
8.2MB
-
Sample
240701-erjbqsyhjn
-
MD5
f5c5f4572e0dc9f3c210a636885c1e4b
-
SHA1
df7731584614d2414d9b14c5d0f2d5223e3e742f
-
SHA256
f1f7dbd211cac3e16a911ad71a790c42d20a2f62711ff8a0918d8bd576cf41e4
-
SHA512
446cd5c863a71a2c8d8558c9a162b99012805b636fc3f3cc555c6836c7bb6bebdced148c6de3a77d9c277f900819ce2e6cea39672ef120f0a24a1e40cae3d086
-
SSDEEP
196608:NsjHWLtfvGzd6MZfeY5lqctrz8J+8uesYDYaASn1myj:Nsj2JOzt5k8z8J+8PTASB
Malware Config
Targets
-
-
Target
CriticalFiles/SN.dll
-
Size
6.2MB
-
MD5
da9f5a3a7e5345ca15fd145b18300fe0
-
SHA1
b35c923818a4f552404aa07749e448779fb2cc21
-
SHA256
c52ac343647edbe0efe2b548b9ed9744472be7a53f199abebaa69f0b728a4371
-
SHA512
c2be5227fbe48cd0b1d779724ea55f2ab53370da4ab0d0e54f9d72b3e295ee9d73fe0c04801d6a9a8bb83b482e9d74a165edb7969cbc71658132e71de39a7d8d
-
SSDEEP
3:n:n
Score1/10 -
-
-
Target
CriticalFiles/SNInstallerHandler.exe
-
Size
2.5MB
-
MD5
962b890f95429f93e9e56f35d3208e59
-
SHA1
a98559becdf6981f7335666418d5f35eef3bae34
-
SHA256
2a97972bc0c3af489e1b551b995c198444785d5007930b6d0de8e6d5d025e868
-
SHA512
e5aff298bd48e1c686ec527d3bf40f0a85e584ab0807c749b862f133171ab38835bfe95ba1d64ec2ece019d7f1fe64dbe5c7fa4685ab614a180fd61070acc8af
-
SSDEEP
49152:OCC81n43bykG2YFwoFV5LDo25gixiDX5cde4UJkDDtCbPGGG:OCB1sGkG2uwoFbLFeX50LUJkUDGG
Score10/10-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
CriticalFiles/StageSN.exe
-
Size
6.0MB
-
MD5
6827ad0bc2db5262ba83e58e489452c0
-
SHA1
c7b04529a9ac85dd2fd6ea46cbc71a9841c0b207
-
SHA256
d020e692f2f2d30280d169b8b4ec3285adbb1e9f27abb35db6c88bb1999e8a26
-
SHA512
43bbb7353f7d48cf0dd90337b9e3aa507e1212ac1eb7bdd04711bf941f1f991d310bba553533bf369e18571bf08f570f5f8cb8a1dc0d683bff0da7c3708d7438
-
SSDEEP
98304:07EtdFBCbamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RLOuAKVq0DwKyf:0yFIeeN/FJMIDJf0gsAGK4RauAKVFw5f
Score8/10-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
InstHndl.dll
-
Size
6.2MB
-
MD5
da9f5a3a7e5345ca15fd145b18300fe0
-
SHA1
b35c923818a4f552404aa07749e448779fb2cc21
-
SHA256
c52ac343647edbe0efe2b548b9ed9744472be7a53f199abebaa69f0b728a4371
-
SHA512
c2be5227fbe48cd0b1d779724ea55f2ab53370da4ab0d0e54f9d72b3e295ee9d73fe0c04801d6a9a8bb83b482e9d74a165edb7969cbc71658132e71de39a7d8d
-
SSDEEP
3:n:n
Score1/10 -
-
-
Target
SuperNova.exe
-
Size
319KB
-
MD5
139874ded78aa99b323dba8eac9c9956
-
SHA1
b5baf7067dcb33b9679ec0188e27e93c3fd70369
-
SHA256
569f306077e35e7fbc449095ce624000939b8f27e68f6bcef908173675118ac9
-
SHA512
bc2bf447e8f06f8dbd3f55a1954ad6137abae2d3c57e471dc1d701ef3ae0dd2263a271af99c09b609b2eeb2c24548650182e1bc18ef75e78a0bf2b559006bc6b
-
SSDEEP
6144:Z4FLwAiLQyi6nn1VredEGZGa0Xv50evr1ChZ9bRPXlwAiLQT:ZILwAiG8f3GZ3Q1S9bR9wAiY
Score1/10 -