Overview

overview

10

Static

static

10

0caa6fb680...c6.exe

windows7_x64

10

0caa6fb680...c6.exe

windows10_x64

10

165ec181ff...71.exe

windows7_x64

9

165ec181ff...71.exe

windows10_x64

9

19f1fcac5e...22.exe

windows7_x64

1

19f1fcac5e...22.exe

windows10_x64

1

1a3642fa7d...de.exe

windows7_x64

9

1a3642fa7d...de.exe

windows10_x64

9

1d6d8960e8...5d.exe

windows7_x64

9

1d6d8960e8...5d.exe

windows10_x64

9

213f46a611...fc.exe

windows7_x64

9

213f46a611...fc.exe

windows10_x64

9

284c9bd06a...47.exe

windows7_x64

9

284c9bd06a...47.exe

windows10_x64

9

2b08cbe646...d4.exe

windows7_x64

9

2b08cbe646...d4.exe

windows10_x64

9

2c44be7232...76.exe

windows7_x64

6

2c44be7232...76.exe

windows10_x64

6

2e1deb95bf...f0.exe

windows7_x64

9

2e1deb95bf...f0.exe

windows10_x64

9

2f7a2890d3...2b.exe

windows7_x64

8

2f7a2890d3...2b.exe

windows10_x64

8

36fc7610e5...6f.exe

windows7_x64

9

36fc7610e5...6f.exe

windows10_x64

9

3842928b05...6a.exe

windows7_x64

8

3842928b05...6a.exe

windows10_x64

8

3af2caadbf...ae.exe

windows7_x64

9

3af2caadbf...ae.exe

windows10_x64

9

416baeb19a...40.exe

windows7_x64

7

416baeb19a...40.exe

windows10_x64

7

448a675cb7...2c.exe

windows7_x64

8

448a675cb7...2c.exe

windows10_x64

8

Resubmissions

17-01-2021 19:18

210117-5hwxlye88x 10

17-01-2021 17:05

210117-6jkt8jz44e 10

17-01-2021 10:25

210117-ncy8vksfgn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cbfiles.zip

  • Size

    204.2MB

  • Sample

    210117-5hwxlye88x

  • MD5

    516868e969099c727bdb926e11da6fb2

  • SHA1

    9bb50affde93017d1d87dcd5acab77f92d1101c5

  • SHA256

    6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

  • SHA512

    81c9d53ef842200e1c196ceae01b856f0c405c6e2b2c8180c530493e78e0d31a3d685b20df756c175ac86da67fba3d076e45c00439ab74fe8f47d22f3252da83

Score
10/10
fakeavxmrigdiscoveryevasionfakeavminerpersistencespywareupx

Malware Config

Targets

    • Target

      0caa6fb680e981e7d3353f19f830903c9e6438ecb14ddaa237ce747619d7d4c6

    • Size

      513KB

    • MD5

      888ddaf3d1539e84e9b6de38263fbbe5

    • SHA1

      03a207de60e69dd6b7d293d4d3ec9d7b6c29a197

    • SHA256

      0caa6fb680e981e7d3353f19f830903c9e6438ecb14ddaa237ce747619d7d4c6

    • SHA512

      ba311147160b50edab59a0472bf01c175e6251371c8a0dc4a7b0e0e4bbd83ebcbbb9616f7066c564344a7ca6e636718adbe612618747bf0b00718c9a973c3903

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      165ec181ff15e423abd3aa500bea857faf12fa34b4d53618028bd7a69af2eb71

    • Size

      1.9MB

    • MD5

      1609f54906b28c1017f73c13d07ce375

    • SHA1

      f7c1e2edd6235874dd8a4794fcbae1702135a7c5

    • SHA256

      165ec181ff15e423abd3aa500bea857faf12fa34b4d53618028bd7a69af2eb71

    • SHA512

      00f7fcb43e7aa1b38c2eef46b1f6f14c43b9d421762082ca4cdc953dc7a370f26d31935b2e1871fd691ebd872ab5bb5619e44e6a7b035d692586fcb50a3f7c06

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      19f1fcac5e8dbd1d8ff78a295a3a16b533defb40a414dd360a6f75ca5101ac22

    • Size

      3.8MB

    • MD5

      159d99d1c7dabfcbb864fb263e03bb87

    • SHA1

      30bd2880c9af88eab81f9a18c13d18d2d2f55afc

    • SHA256

      19f1fcac5e8dbd1d8ff78a295a3a16b533defb40a414dd360a6f75ca5101ac22

    • SHA512

      40571a4b0a9a2ef2b9c49151521bd8f5cbc105367ba9f6d34c6eee692d05aecd08ec5b40b4ba8289000c403a16258e36a91497157562a9cd343f86f9ec4f87f1

    Score
    1/10
    behavioral5behavioral6

    • Target

      1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede

    • Size

      4.3MB

    • MD5

      7b65065d72848703e2aa7a8788e182f8

    • SHA1

      939281d92b016157bc32a36876a957fa141dcce3

    • SHA256

      1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede

    • SHA512

      cba2b883a103adaf2060138ee58f2e1a98520dca5e55b979584c49e42cf36af5915d5b95c7a00cee04766f9808a9dede3ad31d730f8f9873f44809855e3c30a3

    Score
    9/10
    discoveryevasionspyware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      1d6d8960e8999bed25a88c4b9c8ad5f92f5314f2b50a012bcc7a6873ddcba25d

    • Size

      1.9MB

    • MD5

      68f146252671d1b383a8dd88400461c2

    • SHA1

      882571d799c61fb29b3dac4d713bc7c06f92f9f4

    • SHA256

      1d6d8960e8999bed25a88c4b9c8ad5f92f5314f2b50a012bcc7a6873ddcba25d

    • SHA512

      8b99e603acdda4b8383fa3d553e71431b9addbc1ff5c195664530e18346fad7692254e60a739252bb53366f07f10aa9c2a65e078a4ec733be028dfaac7e7deef

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      213f46a61158000136d67452f6c638949db7a60674ed2af8379f6bbe7acb49fc

    • Size

      1.8MB

    • MD5

      37f95f0c742f9bb6c5f6d1b49a9f1e92

    • SHA1

      92d17b64c02a1ae01b49cda80a21042505d1eb3d

    • SHA256

      213f46a61158000136d67452f6c638949db7a60674ed2af8379f6bbe7acb49fc

    • SHA512

      c6ea684e9f53b46d86519c7920048ca5fbd07a42b7b372cbff33b590d5f4bcb0acda1104379503d403d1931bdd333ec74a571fb97f54abc7bf7cbc978c8a06ad

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      284c9bd06ae67203244ed420c798188c7d0846938b21ba970ce64318452d6947

    • Size

      1.9MB

    • MD5

      a2db656c0369a9762ff24827848e8ea2

    • SHA1

      a88a7d679bb6e30467ffbed426c65a0c32074a3a

    • SHA256

      284c9bd06ae67203244ed420c798188c7d0846938b21ba970ce64318452d6947

    • SHA512

      c6c1c5619948566fa090a51bac8c91b8e6411d108b1fe2e246a4c8bf60face16d4bfca37e8950486cef843518eefb47cf2159ead8b331723cecc8d5179bfc32b

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral13behavioral14

    • Target

      2b08cbe646e4941556c400c8a9f4f2a073514d0ef919a88612696907f560aed4

    • Size

      1.9MB

    • MD5

      cc181563a24cc07810b1f6b583dd9293

    • SHA1

      729ed392cea5df30cf5f85a3b89361aac541b418

    • SHA256

      2b08cbe646e4941556c400c8a9f4f2a073514d0ef919a88612696907f560aed4

    • SHA512

      eeb7e7cbd6db581326bf4627947ae1c4610c8f6fb5e5ef2b41173c7dd44c87995c12480c19bc164504c33ede7fb286900b32f4c24d0d97c1c139d7a88417097e

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral15behavioral16

    • Target

      2c44be72321c29c1c20f09fb5c78ed59b76a74926f5581a77b13c6fafb502076

    • Size

      9KB

    • MD5

      ce0d45f37184b93d6c6f9d32f08560a0

    • SHA1

      cbb10ea66958db8abfd3eeed8ae921a56fd4e0b5

    • SHA256

      2c44be72321c29c1c20f09fb5c78ed59b76a74926f5581a77b13c6fafb502076

    • SHA512

      91f5cddd4c88d831bedea49b458334d53d77cad93840781fddb7ab1136dc448edf9f7d2f26469df9bb8bf63ac290fec14a31f9a9a40eece2d6450db734d4fca4

    Score
    6/10

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      2e1deb95bfe713cf40cbb21b3821a83bb1d3cdda412ce78456e3e31741034cf0

    • Size

      1.8MB

    • MD5

      5cb0d38498c5fc6e34ae337ffc19b2f6

    • SHA1

      49d1633f21e953e11bc3dc29040277ca47804c13

    • SHA256

      2e1deb95bfe713cf40cbb21b3821a83bb1d3cdda412ce78456e3e31741034cf0

    • SHA512

      85ad630c54dda9bd0e7c1132c13d2680c62ead849b1d9fb42fee252e0b030ca935080a933887931ae45574c7e2d9210d6bfc101f8d510e27700461e1cc22ffdc

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b

    • Size

      4.5MB

    • MD5

      c20351b808023b220b948a520e5eb163

    • SHA1

      6db7728a2ed6406b6d83761df9676e66f6895878

    • SHA256

      2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b

    • SHA512

      939433491c7df9f0fbe8017ac66f5b45b4011d4e3ae2d27fc1718751b9f14d5b1d04020ed4c2ee176be39d1145ec1c4584d6c0d54549bedf7fffdbfe7e20a390

    Score
    8/10
    discoveryspyware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral21behavioral22

    • Target

      36fc7610e543a7bc9bee637ddb0c03263dd1b6964774cfbced9f649a01def36f

    • Size

      1.9MB

    • MD5

      2fccc27c521a5637b2a566151700eb24

    • SHA1

      d6739cf160f5820d07d3b097007ccd53fae07673

    • SHA256

      36fc7610e543a7bc9bee637ddb0c03263dd1b6964774cfbced9f649a01def36f

    • SHA512

      2dc36d10e9b8ccd8f4fb791eb0fdba27d0be34853a637a80918237de9b4b22740a203cab380247b86e42cb59799cc77fbd8dc151170f9af10934a9d55037958b

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      3842928b05f44dcd7d813c2f5c53c86b032ef689983f287f7c4edb4bab2a096a

    • Size

      883KB

    • MD5

      e9e137a635eccb83d460c9c583930a00

    • SHA1

      22271f2f3e5632032d91ab0fdbce40bbd7d02126

    • SHA256

      3842928b05f44dcd7d813c2f5c53c86b032ef689983f287f7c4edb4bab2a096a

    • SHA512

      ad3b8000b6d7db2d327e9be3f4a4d369306c1aea96d2113465e77fb6e24e446dd545e9b2065f91a3961f23996e46f77d5d52f7a1ea8329c983a52897a6e01355

    Score
    8/10

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral25behavioral26

    • Target

      3af2caadbf55cfcf7c91403368d2aee7db836203a27bf2ad48895d6d696c68ae

    • Size

      1.9MB

    • MD5

      46858b82845b82eb2136122b5841866c

    • SHA1

      ffd6895f62d153729ac3b1203204b9df135ec454

    • SHA256

      3af2caadbf55cfcf7c91403368d2aee7db836203a27bf2ad48895d6d696c68ae

    • SHA512

      d11fbed54498f97562a52fd5afc579d9b26f50b7357e4be24cef5afd1bfbfc5886fe8f82e21ddfff97008a749e37d6362c40828ca98188e387dcb94cc27d25ee

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      416baeb19adb37e66000e685e04d70586b022f5d36ae411080f89e5590bb8f40

    • Size

      56.1MB

    • MD5

      2f916f4272d4426fd629810a57a54fb3

    • SHA1

      a4ac414101162bb062ee03d8364d57248e8f1a39

    • SHA256

      416baeb19adb37e66000e685e04d70586b022f5d36ae411080f89e5590bb8f40

    • SHA512

      f2e4434cb5f9c48187d712fb3f77cca3f0d5acbe985b5f65db54be4ea0ead4942f85e02252455ffb9e82e396c87711ee2af81c6d94d58a966dc246d9233db069

    Score
    7/10
    persistence

    • Deletes itself

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral29behavioral30

    • Target

      448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c

    • Size

      4.5MB

    • MD5

      01bde657829f533c72468b2234a57424

    • SHA1

      b0369575161af6659df620350aecaf6aebfadc4f

    • SHA256

      448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c

    • SHA512

      379b3320bd8da31cc58701896a877c8187fe0a21f86036bdbcd68e449b082d2d6511550118c23d7b78a80d6bb7a0f8ba5cd2d362df224d0197badbb31ebc7d4f

    Score
    8/10
    discoveryspyware

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

upxfakeavspywareminerfakeavxmrig
Score
10/10

behavioral1

persistence
Score
10/10

behavioral2

persistence
Score
10/10

behavioral3

evasion
Score
9/10

behavioral4

evasion
Score
9/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discoveryevasionspyware
Score
9/10

behavioral8

discoveryevasionspyware
Score
9/10

behavioral9

evasion
Score
9/10

behavioral10

evasion
Score
9/10

behavioral11

evasion
Score
9/10

behavioral12

evasion
Score
9/10

behavioral13

evasion
Score
9/10

behavioral14

evasion
Score
9/10

behavioral15

evasion
Score
9/10

behavioral16

evasion
Score
9/10

behavioral17

Score
6/10

behavioral18

Score
6/10

behavioral19

evasion
Score
9/10

behavioral20

evasion
Score
9/10

behavioral21

discoveryspyware
Score
8/10

behavioral22

discoveryspyware
Score
8/10

behavioral23

evasion
Score
9/10

behavioral24

evasion
Score
9/10

behavioral25

Score
8/10

behavioral26

Score
8/10

behavioral27

evasion
Score
9/10

behavioral28

evasion
Score
9/10

behavioral29

persistence
Score
7/10

behavioral30

persistence
Score
7/10

behavioral31

discoveryspyware
Score
8/10

behavioral32

discoveryspyware
Score
8/10