General
-
Target
Vape.bin.zip
-
Size
1.1MB
-
Sample
210105-twlv3x4yts
-
MD5
46507506e8a38ddb240258066664083f
-
SHA1
9fba1caee74179138cf5a30ca68159d3efb99dab
-
SHA256
9f714adc9de1c111fb4db196aa7ee2089fb9eb6942fb030a2a71431c4eef5517
-
SHA512
8af1a4977b323a94da1e678b985d7fd11b4aa8dcdeb7504527d3b2d234d4e8e39ec156f08970a8cc8cc465bf5bc5ff89ca1c28ace82990464c26ef1dacfd4164
Static task
static1
Behavioral task
behavioral1
Sample
Vape.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Vape.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Vape.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Vape.bin.exe
Resource
win10v20201028
Malware Config
Targets
-
-
Target
Vape.bin
-
Size
3.0MB
-
MD5
dad51e4898b39812e8a03214e612c795
-
SHA1
1d20dc5a9d8b1d0d67df0169f26e6af6c6481e06
-
SHA256
4c9666fd8b845f51714d4a52f3b219bfb317835af164f17de6ab97097b0b3158
-
SHA512
ef50cf65924f39bcd62248fabefd58d68e0f8fa73ee4879f1a62bae8107b0c7d620de6f9d76b74bde5fde73400061c97a6f469389aa953e3a6c10f5cccfb0911
-
Detected Xorist Ransomware
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-