General
-
Target
65eb2851bf0b7794f3442f62d51e1833
-
Size
8.0MB
-
Sample
201117-g5jm7f1mas
-
MD5
06c1dee8505ab9f0345849db48177ef6
-
SHA1
aae8a18be4ed5ea18f564a0dbf60fb18abe1fd06
-
SHA256
e2036d6cbcc1de0192dab10d1a1233fae74c3b44dba93ef8e218f201f5247349
-
SHA512
ad965f2fc561a948a1bf8f9ae0c1cd46e26b85c5833cd019a693dbc331672cb9f19364b3e21321a5580a8b939ddbcf09de1158ace6afe48e96d4391cd97cd190
Static task
static1
Behavioral task
behavioral1
Sample
65eb2851bf0b7794f3442f62d51e1833.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
65eb2851bf0b7794f3442f62d51e1833.exe
Resource
win10v20201028
Malware Config
Extracted
Protocol: ftp- Host:
yatukeba.zzz.com.ua - Port:
21 - Username:
yatukeba3@yatukeba.zzz.com.ua - Password:
P5zHSc12Sc
Targets
-
-
Target
65eb2851bf0b7794f3442f62d51e1833
-
Size
8.0MB
-
MD5
06c1dee8505ab9f0345849db48177ef6
-
SHA1
aae8a18be4ed5ea18f564a0dbf60fb18abe1fd06
-
SHA256
e2036d6cbcc1de0192dab10d1a1233fae74c3b44dba93ef8e218f201f5247349
-
SHA512
ad965f2fc561a948a1bf8f9ae0c1cd46e26b85c5833cd019a693dbc331672cb9f19364b3e21321a5580a8b939ddbcf09de1158ace6afe48e96d4391cd97cd190
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-