General

  • Target

    WH.bin.zip

  • Size

    1.7MB

  • Sample

    201016-jsk72etjq6

  • MD5

    61ae6dd71cdc40404bf34d4b4d3d2602

  • SHA1

    2575635cf71c49375a5ef80f241631255ab71b34

  • SHA256

    595283dea6d3580d8bf029f5c4f2a9455cb3e6f4a80d991c9ccd042a9b7f1c46

  • SHA512

    efad5a096fc3912e4ce7027aef25186cb61562cfc6c88f5907a33b2826a4826aed1ff46586a221d7fc3f48d7aecb9b365a55ac123934db2b732304735f753263

Malware Config

Targets

    • Target

      WH.bin

    • Size

      1.7MB

    • MD5

      7a1e1f12d0e97649ffcdea5146e1b895

    • SHA1

      51b13d720c9e04164472f2e68fcc32b33d8e6dc9

    • SHA256

      86cc6fe990be31c83877e9441902c4a3201c07321a0aca53d6d2486011cabe6f

    • SHA512

      579cd70d024f6126e34bbbed45fa4298c24d7f5e5f76e3d357e9a7fd3d26b655367f3f9e7924f56453b7cf72dd651faa3731223f1718172d33d81136b6815223

    • Parasite, Nexus

      Parasite (or Nexus) is an infostealer written in C++.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks