MAR-10365227.r1.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
cisa
2022-09-20T14:15:46-04:00
BMachine
134
7.1.0
onedrv.exe
791040
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5
806998079c80f53afae3b0366bac1479
SHA1
9f7378da13ca1da75e12e536c8e2dc4cd2236489
SHA256
84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
SHA512
3d592a606426386fa5f1224c7d3f82f31f5a4d23f9c67422d774e080725bc5698e7786407863dd50d7172e814871bdfabbbe6dce9545733d995ddd892249ba22
SSDEEP
12288:kyIzsYTd+LXxWtmtOdnPR3xTexehCkijOcXF8qSH8gdkMdCNGCWJOWCmP8pSMmVN:ky4sO+9ymtsnPRBnlivXPSHxkMNHCNp
Microsoft Visual C++ v6.0
7.996795
3
2021-09-10 17:59:57-04:00
512
MD5
6b81a95076cc3d6f6dff7d32afa3b7e2
2.297287
1.0.0.0
ClientUploader.exe
ClientUploader.exe
1.0.0.0
.text
788992
7.998126
MD5
2d3081eb51c7c393e0a670c8bfcf7c24
.rsrc
1536
3.966404
MD5
5569bca67ba8c174f30990c07b585dbe
Characterized_By
Used
Characterized_By
Created
Figure 1
Figure 2
onedrv.dat
267224
ASCII text, with CRLF line terminators
MD5
dc0414dec9a84d6342c5d5fc77bbdbed
SHA1
1dad19123564d7d02c3259ab4b06c90181dc4b37
SHA256
517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d
SHA512
1d262f06881516ca2274d8fb18bcb4bcf9c0b3229370b0609f3803f356a676b1149e22da6a33957862d8470a8531d9719af07bd75379df2ca29e373604fb32cb
SSDEEP
3072:ERNwmyBvqZKFkVfhJnEFbDcazPQLTnVy8JR6Ylb3uQ0PQNIfFrCGdDlBXZuZpZfB:bWrjgA
5.360335
Created_By
onedrv.ini
1088
data
MD5
a0ab6d3e643d4dd51ee6ae9079b175a4
SHA1
f179fcc4c41ca5cb443551f88a1074d5176d33f4
SHA256
91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b
SHA512
237baa401e0c52ca816cebafa5abf088e9a757f4da452e97210a1fe8eda8c0adc67aa19cacd662dcc98f5bd355d679fb096ff4e97cd54e16c199c66946d65a5e
SSDEEP
24:olkc5V0yhsd/AFvaPo3b6EJ2ITY9UI62JPld5oKLeWb6l+vTI:olkq0yK/Ata5EJ2I5nOTvTI
7.824751
Used_By
ntstatus.exe
6656
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5
c435d133b45783cce91a5d4e4fbe3f52
SHA1
9ddfa0669358bc19a166a41fd93cec5a3c88205d
SHA256
157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
SHA512
e4d43dc23ff78f55bc857608fa33691eb7fb3e132332660b46460e7e7512104bc22484489d3d0fbd136270de9f7060641505ad2854cefd50b31ca6bb31b2ae18
SSDEEP
96:nPbVkB7jiZStZC+01RPmaUrfzvDwiFMCnd+taflUTsqzNt:nPbqFiwW+g5maMzDwQMCQwmT
Microsoft Visual C++ v6.0
4.92163
3
2101-07-23 04:43:10-04:00
512
MD5
3994632889cebeff28c360da22c696f3
2.255013
1.0.0.0
AppStorage.exe
AppStorage.exe
1.0.0.0
.text
4608
5.307382
MD5
bec2cac9d419ae07e526a03c4a94cb64
.rsrc
1536
3.934855
MD5
0551c676439e5d812cb2bab3f2060c1b
Related_To
Dropped
Characterized_By
Characterized_By
Characterized_By
Related_To
Figure 3
Figure 4
Figure 5
ntstatus.bin
1834496
data
MD5
d5a7b90177cdf81c2e1de40dc834d764
SHA1
d5dee0a05101cf9ed3c3ca76cf01f518c3ef922c
SHA256
b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6
SHA512
cfccd6701a69047c7de246601d2cd41cdc87d314bdcf070778938dad22e3bf5911d3beca0d75379dabdda1ad3c229c3bec329b840f5e4828c8bab41c1cdff159
SSDEEP
24576:vsGNL+Kei7j3iTeG0fYHTlyAUoFwZJuaEh68w8To7FgunNZG10guctbAgYMEc+1B:DNb7dEh68E72O4hEVF
6.681125
Related_To
Contains
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
---End OneDriveClient Functions---
OneDriveChannel. – This function establishes the connection to the server.
OneDriveChannelSettings. – This function reads the ClientID, Redirect, Refresh Token, and Scopes from the configuration file, ntstatus.ini to negotiate the connection to the client.
UploadedFiles. – This function logs the hash and the file path of the uploaded files and records the information into two files where ntstatus.log contains a list of file hashes and ntstatus_temp.log contains a list of file path hashes (See Figure 7).
---End OneDriveClient Functions---
The program also contains supporting libraries for the SMB protocol versions 2 and 3. The libraries have the capacity to maintain a list of IP addresses, logins, domainNames, passwords, and SMB clients that can be used to attempt to search for and log into SMB file stores. Files can be searched by file path, file status (e.g., open or closed), and file attributes (e.g. shared, read only, etc.).]]>
result.exe
1834496
PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5
27a0ba098b8403570c7b1e0863c2d6c5
SHA1
22cb98b9548ffd1010b2799a791ef42b8943f3c9
SHA256
1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
SHA512
7eb71e11947a762d8a9a396de21d6b704f8021acc0ddfc7a959897569d429f3347c9bd1c3206703375d09a81defd3d1f9bba0ea137157d8546b862ded030c4c2
SSDEEP
49152:F2f6rfgMSneK065JlYaDmxZF5ax00MSMoOKiYyBg9FzfJNFL5QPWES2s1B+dBrSY:F2f6rfgMSneK065JlYaDmxZF5ax00MSt
5.579937
4
2021-10-19 20:19:25-04:00
512
MD5
8a2ac318e59571d7c72221d67498bd5f
2.72244
1.0.0.0
ClientUploader.exe
ClientUploader.exe
1.0.0.0
.text
1831936
5.581972
MD5
be70af56c305ef153e32ecc2430d4d8a
.rsrc
1536
3.97147
MD5
5488f249cf62feed84546911d54f96f2
.reloc
512
0.10191
MD5
f80d2b416a07808182a35c49f6967d8f
Created
Created
Characterized_By
Used
Dropped_By
Characterized_By
Created
Contained_Within
Figure 6
Figure 7
ntstatus.ini
3392
data
MD5
b1a7c2ae593e814cfecdcff709b02615
SHA1
ababa956175b2ddae7ec92162a8464b40b79064a
SHA256
da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df
SHA512
f511508878f821f80f10d387a60c7bab14c7384cd4ce0a68c73b0331d13d4b716805e3a53794ef0def0062d08eea489ef6239c53c2fa2d7f1c3478aba7e204b1
SSDEEP
96:m74SD0f7Z2wXZ/BFmcktZdsczgmwL1COPP8yeTY4l9N:s4SDA73Zqlt7gmYQEUyMY4jN
7.948675
Characterized_By
Used_By
Figure 8
ntstatus.bat
91
ASCII text, with CRLF line terminators
MD5
d287a50bd0b95d1f153dc071d43e45d3
SHA1
cf1d9da39f4847ee735d46157232585068387763
SHA256
0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb
SHA512
1507fd6f41c853f84b7b036280ac6c21556ce5cf10b4008c2902020291255b5bb55e63ebda9921032fd8ebf7f9fd8fffbb7de40e696601bee1486a6155b2a5ed
SSDEEP
3:nlKsoFDLAdAIvVNIGfMMAyIJooORKQExLAdAn:n25ABvoGfdICFRZENAC
4.579538
Created_By
Related_To
ntstatus.log
17520
data
MD5
5753ddd324c2054718252c834d93aac9
SHA1
a2e852b0d911ced7011a7b954fc379c0d0564fc5
SHA256
5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3
SHA512
c326d682fdad505f414bbbbbbcd219d40f8f9948c40ffcfd28a5ac5d9cfec647d5f2712ea23eb79bfafd19edfb49577a75f0f99c616abc444da62820eeee4dc6
SSDEEP
384:VEiJb1Xwe87kARzd/CT74lZzRdNKHa7QYopmafni+/5vFdIg:VONdKgVm8Qognie5vFdIg
7.989546
Created_By
ntstatus_temp.log
17520
data
MD5
adfac9c5ef66c21b85fde6503c025b58
SHA1
d7950ad0cc1798f2184be502fcb12bc0a6f27864
SHA256
0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab
SHA512
f14a0b26627b15f628a702deca3ec1696c518cdd05f70426d5a4631a8ec6ced60ab96bfdadcbb362c27932de9a95f4794656379a5512eac3774f84e569fe2671
SSDEEP
384:gyf7wfPR70mHa7Kdghm5dnB9Yr+DLPim849pbm0NNzt0B1rzLw2nd:wBvKKdghAB9YreLPF84r1N5t0B1XT
7.990357
Created_By
FileContainer.FileArchive
FileContainer.FileStorage
OneDriveClient.OneDriveChannel
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
OneDriveClient.OneDrive
---End Functions---
The FileContainer module is used to enumerate and categorize files on the system. This module is capable of generating an MD5 hash of each file and compressing files using the Gzip or Brotli algorithms. The OneDriveClient module is used to upload files to a Microsoft Azure server on the Internet.
The program will look for a configuration file with the same name as the application and the .ini extension, e.g. mqsvn.ini (25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2). Alternatively, if this file is not found it will look for the file ‘config.ini’ (See Figure 9).
The configuration file is decoded using the AES-256-CBC key M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h that is derived from the de-serialized string TSh4Y0hxODhxW3M9cGM3Xit1X0diX31KQyVRUXdQOmg= embedded in the file. The first 16 bytes of the key are then used as an IV (See Figure 8 above).
Other strings were de-serialized to provide additional parameters for the malware program. For example, the string LmJtcDsuanBnOy5qcGVnOy50aWZmOy50AWV7LnBuZw== decoded to a block list of files that the program is supposed to skip containing the extensions ‘.bmp;.jpg;.jpeg;.tiff;.tif;.png’ and the string LmRvY3g7Lnhsc3g7LnBwdHg= decoded to a list of file extensions that the program is supposed to compress before encrypting and exfiltrating. The extensions included ‘.docx;.xlsx;.pptx’ (See Figure 10).
The configuration file contains a refresh token for an OAuth client for Microsoft Azure as well as a ClientID. In addition, it contains a path to the files targeted for uploading, upload times, an encryption key to encrypt the files before uploading, and compression parameters.]]>
mqsvn.exe
114688
PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5
63cf36ac25788e13b41b1eb6bfc0c6b6
SHA1
22ab6af92ddd984bd054c21799742a5e498e8453
SHA256
3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350
SHA512
52ecffb0004f5aee6f3a0c7e0edcbe1079845e20a712ac26854921dea9b46ece0d5f89698e833804ebdc9c3f525a8cc8c7a6d781b0caf3164b81cea17edae5c8
SSDEEP
3072:KNcJNunM5p0TKWODtcT1hR3o92JoeEcfcEcKHWjUNSGdyRCOKFWc70OrZKqaJjLt:Kyf0M5p0TKWwcBhR3o92JoRcJhHMUNSz
Microsoft Visual C++ v6.0
5.801283
3
2021-06-30 15:10:41-04:00
512
MD5
bdd5c1c64355001493f1f48cc64646a3
2.279615
Microsoft Corporation
AppVClient.exe
10.0.19041.84
None
© Microsoft Corporation. All rights reserved.
None
AppVClient.exe
10.0.19041.84
.text
112640
5.814718
MD5
204dc02c928d7206969d5e40f4ed4de4
.rsrc
1536
4.261328
MD5
c574847bfb2e8be8830c3d846238d2d6
Characterized_By
Used
Created
Characterized_By
Figure 9
FIgure 10
mqsvn.ini
800
data
MD5
14b8e37952e1f532be9db40f654e6ac7
SHA1
01d6b5df5761904b7c8c6c4e34490675d4fa0f36
SHA256
25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2
SHA512
c427510f53e54eeea55e2b747bb58f46488f983c47699772d774a94038bc16b12d332741db958c63324258130b9d0376ae2687d5e7a622d9a853717680833f56
SSDEEP
24:Y4yqp1BHGwUtSiW0nwPQV1iIN1RBZchbLWuL6e7ZeY:tyqLBm9tSawPPIn7Kqm7t
7.761942
Used_By
mqsvn.log
39504
data
MD5
444ccf674588f47ab5638fb08db98b01
SHA1
4fcf2c22d2ea70430580b487a7834c165deee5d0
SHA256
603e75db59285734cfb5a469e984c4e359e660ccb7836ff9c209aec36931bc2b
SHA512
843cdead51e290ee5466f51f316c5199259b7e55b752efbdcfa83a5c64a0477a4ddcd3ab63785e9e25c01095670073884943fa0419797c0b74d30a9ae240d0cf
SSDEEP
768:eYarzB8pLwTFL/FX8ANpGMVYO5kELiD4Z8xKzvkA6A3zZesChaFRR:eYaXB8pKF18ANkMX6ELh8xivpzZDC4FH
7.995061
Created_By
msexch.exe
6656
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5
baa634fdd2b34956524b5519ee97b8a8
SHA1
cdc7e3b6905f69d8330c4b0f71494a7db7ac61e7
SHA256
30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc
SHA512
cdcd245fc1dc5072918950b1950527f0b6284453f527623cb600afc775f2cde507278273c75b4af972ac976c06fa73d414350b92c24c7a1dec44aa05527ca532
SSDEEP
96:LDuLc7D604Vp9Rzj1HhaUA3zvDwi0MX7gtKflUTsqzNt:LDuw6rVd3aP7Dw9MEQmT
Microsoft Visual C++ v6.0
4.86918
3
2083-06-18 19:48:42-04:00
512
MD5
9b75c9220e4242a6403f02bb9da3d198
2.261868
1.0.0.0
AppStorage.exe
AppStorage.exe
1.0.0.0
.text
4608
5.236469
MD5
a69c4d0928332121839c97d955246112
.rsrc
1536
3.934855
MD5
0551c676439e5d812cb2bab3f2060c1b
Characterized_By
Related_To
Characterized_By
Dropped
Figure 11
Figure 12
msexch.bin
1834496
data
MD5
bd95f0df1272e5b2854b304c71930168
SHA1
2d28c56daf370370d1c4d95fd25e4f0a04ceda07
SHA256
e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f
SHA512
b01a5b459f0b3b619b742f717e7b536cf713dded36b542d5546a59333c6008aaab0c844a9979b4450dc1a1ced5af41beebfda41191920a678026c63fdf7934dd
SSDEEP
24576:KNCSFczkVbstNn2I4Evj6ZaIDLdjFu1u1Ww1YfduAiG52Qqlsvz66ZG+b38tTnt4:hz7ePzJuss4caq
6.682404
Related_To
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
OneDriveClient.OneDrive+
---End OneDriveClient Functions---
OneDriveChannel. – This function establishes the connection to server.
OneDriveChannelSettings. – This function reads the ClientID, Redirect, Refresh Token, and Scopes from the configuration file, msexch.ini to negotiate the connection to the client.
UploadedFiles. – This function logs the hash and the file path of the uploaded files and records the information into two files where msexch.log contains a list of file hashes and msexch_temp.log contains a list of file path hashes (See Figure 7 above).
---End OneDriveClient Functions---
The program also contains supporting libraries for the SMB protocol versions 2 and 3. The libraries have the capacity to maintain a list of IP addresses, logins, domainNames, passwords, and SMB clients that can be used to attempt to search for and log into SMB file stores. Files can be searched by file path, file status (e.g., open or closed), and file attributes (e.g. shared, read only, etc.).]]>
Uploader.exe
1834496
PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5
f54ae2b0d51bb4cdc2a142733f122311
SHA1
184adab2435e4b0f9b02521fed5e56390b5e775f
SHA256
d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8
SHA512
97ed8086dde00af3cbf51c02073aec28957a6bf354799f489ee7c457e82e0b21d7d2fb6ba46589675ed22d51aa0d973ab7d4132a2aeeb0adf15da618d4fb83cd
SSDEEP
49152:Z2f6rfgMSneK065JlYaDmxZF5ax00MSMoOKiYyBg9FzfJNFL5QPWES2s1B+dBrSC:Z2f6rfgMSneK065JlYaDmxZF5ax00MSt
5.580993
4
2021-09-24 14:56:17-04:00
512
MD5
a1eef53765269a304aaa217af7ede436
2.725476
1.0.0.0
ClientUploader.exe
ClientUploader.exe
1.0.0.0
.text
1831936
5.583032
MD5
489bbfac9377f3ef9a60f9d64d9ccda8
.rsrc
1536
3.97147
MD5
5488f249cf62feed84546911d54f96f2
.reloc
512
0.10191
MD5
fbf8fada938118d358a40e73eb0c8bb9
Used
Created
Created
Dropped_By
msexch.ini
4816
data
MD5
d3951137283e84d42f85bb91f0ccfcdd
SHA1
450982b1420a97dcedb15fb058e00e108d240bb7
SHA256
52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29
SHA512
082594fced158d5597e1b34ec220fd873365f3ec282add680fc84d4b31010c2485e97611049c2d1432b6a1014784e06d3b11f14a815252a28c0c38c4eb5a31e1
SSDEEP
96:XaMTeYZR1Bm3AboPwVUJyWvihHbP11Ho+5EGsW7MlDz1v7Yrtgx3X:XaWZZR1Bx9VP16+5jRQlDR8U
7.963703
Used_By
msexch.log
103904
data
MD5
30ea2a37c7174ed8c3ab88aecee0002b
SHA1
3a6f2826aab7948d8b930f6bf13897160c198807
SHA256
09605981a072c604e6ef9ad2dd7d2a78b48b07ee3339589bfcf0a466a9190904
SHA512
0a78caf6257b8b58578181a9555bf9cee24b1bfced078855145f79757701a53a15968d9bb6acc74fdc9469bd28fa82a53b8d52669fa3952824f51339bd94ad7a
SSDEEP
3072:OcopRvQIpMV/EN6PmW9tV/PUdpogFeSQx7:CpVFp8/pFhPUdponR7
7.99849
Created_By
msexch_temp.log
103904
data
MD5
20b7eb0af9b9e7403a298f7966d5a1d4
SHA1
b2018e61e8b435b6a172b35774377ebc16fd0168
SHA256
6a0cd866c849e62f9ccc26575d8794c2e0b14722387742b965d4358e1e0e8b3c
SHA512
3695120b452c103f54c4eb738648621f162850ec32aca734ecdd552755ecced1500aaf789ec1bf45afc5df4fcfd6144ca4d1fff415a25656dd5493f81b221bfe
SSDEEP
3072:2H05Z4/LivIjqjSXZa8HaDhpfUcJkm0YK/:29ivImjSX9qnUcdi
7.998385
Created_By
vmware.ps1
10436
ASCII text
MD5
4825b1e32ff062f4671d5420661695af
SHA1
0cbf85f88e2fb0bc721357acdd543d5a1957886f
SHA256
fae38156e9ce12368c846836b87861f4f12e14698cb65f14545205fa56d8c496
SHA512
a58298346cdf35e432d755942ef2690c6e3182a4fab03df163142e42cdcb0d7bc3810c647078a779d15ee0676b0eacfa59c38512671dc86264b42f2c8d69edb8
SSDEEP
192:k9XNMA6GyvE0XJvP0EN3ab3Akz9JUWCUVCRB7/dUV/TpraVm5efUo9wQUyfa3gpA:k9XNMA6pXJvPCUjUmUvaME8obUaYgpj8
4.979828
vmware.exe
497104
PE32 executable (console) Intel 80386, for MS Windows
MD5
0acb06da48d86e1ef15c27a4f5a3bddd
SHA1
12dd7a86001ff2b6b661cd7de60ca6aadc9b78ae
SHA256
bfa7adeda4597b70bf74a9f2032df2f87e07f2dbb46e85cb7c091b83161d6b0a
SHA512
98fbcd4e190e0bc17dc712bbbe808c7d24610c334925381544fb16a8f75931db1c5f6597cafbe6a12a9050e482e55351bedb76b40573f8a7489e3c7755bdecd2
SSDEEP
12288:1NsUjyDukqiudnJkx3piQLmGLvdnTJ0CRUyF1I3Kl:1mkyDuZiCccQLmGpTrCm1I3g
Microsoft Visual C++ ?.?
6.459391
6
2014-12-02 05:07:13-05:00
1024
MD5
98efedab8c1234a79df40e93dc82e136
2.635435
Alexander Roshal
Command line RAR
5.20.0
Command line RAR
Copyright © Alexander Roshal 1993-2014
None
WinRAR
5.20.0
.text
410112
6.587893
MD5
0b760a9dbbf12c5d32ca265879aabdb2
.rdata
27136
4.857459
MD5
3874d7a1d17b892215dc07687ac3b75c
.data
8192
3.720474
MD5
e28ebcc7f9a5e3d463ee9d9de071e085
.rsrc
31232
3.540367
MD5
5ad98aabb9c5996ee180a98ff9543866
.reloc
14336
5.427399
MD5
ec534cec214c136ef4552b79103e2eaa
CISA_Consolidated.yara: CISA_10365227_03
Malware Artifacts
MD5
806998079c80f53afae3b0366bac1479
SHA1
9f7378da13ca1da75e12e536c8e2dc4cd2236489
SHA256
84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-09-20T18:37:46+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a0ab6d3e643d4dd51ee6ae9079b175a4
SHA1
f179fcc4c41ca5cb443551f88a1074d5176d33f4
SHA256
91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b
NCCIC
2022-09-20T18:37:46+00:00
CISA_Consolidated.yara: CISA_10365227_01
Malware Artifacts
MD5
c435d133b45783cce91a5d4e4fbe3f52
SHA1
9ddfa0669358bc19a166a41fd93cec5a3c88205d
SHA256
157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-09-20T18:37:46+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
d5a7b90177cdf81c2e1de40dc834d764
SHA1
d5dee0a05101cf9ed3c3ca76cf01f518c3ef922c
SHA256
b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6
NCCIC
2022-09-20T18:37:47+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
27a0ba098b8403570c7b1e0863c2d6c5
SHA1
22cb98b9548ffd1010b2799a791ef42b8943f3c9
SHA256
1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
NCCIC
2022-09-20T18:37:47+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
b1a7c2ae593e814cfecdcff709b02615
SHA1
ababa956175b2ddae7ec92162a8464b40b79064a
SHA256
da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df
NCCIC
2022-09-20T18:37:47+00:00
CISA_Consolidated.yara: CISA_10365227_02
Malware Artifacts
MD5
63cf36ac25788e13b41b1eb6bfc0c6b6
SHA1
22ab6af92ddd984bd054c21799742a5e498e8453
SHA256
3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-09-20T18:37:47+00:00
CISA_Consolidated.yara: CISA_10365227_01
Malware Artifacts
MD5
baa634fdd2b34956524b5519ee97b8a8
SHA1
cdc7e3b6905f69d8330c4b0f71494a7db7ac61e7
SHA256
30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc
NCCIC
http://plusvic.github.io/yara/
NCCIC
2022-09-20T18:37:48+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
bd95f0df1272e5b2854b304c71930168
SHA1
2d28c56daf370370d1c4d95fd25e4f0a04ceda07
SHA256
e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f
NCCIC
2022-09-20T18:37:48+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
f54ae2b0d51bb4cdc2a142733f122311
SHA1
184adab2435e4b0f9b02521fed5e56390b5e775f
SHA256
d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8
NCCIC
2022-09-20T18:37:48+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
d3951137283e84d42f85bb91f0ccfcdd
SHA1
450982b1420a97dcedb15fb058e00e108d240bb7
SHA256
52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29
NCCIC
2022-09-20T18:37:48+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
4825b1e32ff062f4671d5420661695af
SHA1
0cbf85f88e2fb0bc721357acdd543d5a1957886f
SHA256
fae38156e9ce12368c846836b87861f4f12e14698cb65f14545205fa56d8c496
NCCIC
2022-09-20T18:37:49+00:00
MAEC Characterization of 806998079c80f53afae3b0366bac1479
Avira
HEUR/AGEN.1221987
information-stealer
uploader
MAEC Characterization of c435d133b45783cce91a5d4e4fbe3f52
Bitdefender
Gen:Variant.Tedy.82790
McAfee
Generic trojan.ri
Symantec
Process timed out
NETGATE
Malware.Generic
ESET
a variant of MSIL/Agent.VOV trojan
Adaware
Gen:Variant.Tedy.82790
obfuscated
trojan
MAEC Characterization of d5a7b90177cdf81c2e1de40dc834d764
Symantec
Unavailable (production)
MAEC Characterization of 63cf36ac25788e13b41b1eb6bfc0c6b6
IKARUS
Trojan.MSIL.Crypt
downloader
MAEC Characterization of baa634fdd2b34956524b5519ee97b8a8
Bitdefender
Gen:Variant.Tedy.82790
Adaware
Gen:Variant.Tedy.82790
10365227.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected