This article provides an analysis of the malware sample 875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24.exe, attributed to the Lazarus Group, a state-sponsored cyber threat actor. Using tools like ANY.RUN and Hybrid Analysis, the analysis reveals the malware’s behavior, including process injection and registry modifications, targeting primarily Windows systems and expanding to Linux and macOS environments. Key indicators of compromise (IOCs) such as malicious file hashes and suspicious URLs are also highlighted. Affected: Windows, Linux, macOS, financial institutions, corporate networks.
Keypoints :
- The malware is linked to the Lazarus Group and targets Windows systems.
- Advanced Persistent Threat (APT) characteristics indicate its malicious intent.
- Static analysis reveals high entropy, indicating possible packing or obfuscation.
- Dynamic analysis shows the malware attempts to modify registry entries for persistence.
- Key indicators of compromise (IOCs) include malicious file hashes and suspicious domains.
- Network analysis identifies connections to suspicious IP addresses and URLs.
- Malware behavior indicates process injection and exploitation of system vulnerabilities.
- Remediation steps include blocking C2 endpoints and conducting system scans.
MITRE Techniques :
- T1071 – Application Layer Protocol: The malware uses HTTP for command and control communications.
- T1059 – Command and Scripting Interpreter: It exploits command-line tools and scripting for execution.
- T1064 – Scripting: The malware uses scripting capabilities within the system for process injection.
- T1546 – Event Triggered Execution: Modifies registry keys for persistence during system start-up.
- T1086 – PowerShell: Potential use of PowerShell commands for process manipulation and exploitation.
Indicator of Compromise :
- [Filename] 875b0cbad25e04a255b13f86ba361b58453b6f3c5cc11aca2db573c656e64e24.exe
Views: 33