General
-
Target
hell.bin.zip
-
Size
7KB
-
Sample
210224-ll5cw24c7s
-
MD5
899a38ca4a2783723e9cce5924cd4526
-
SHA1
ec874603c0a37644e9ee4a9361d94da1fde50373
-
SHA256
d71d1f411026ddf3124660d50f2e65a42b7ad4637459c9c86d13028a30a0cbb5
-
SHA512
f9f6786d554333f895f3cc169e99064d93d0e64f0df381e706ff47c3ec10752ec7d8fd7ecd363536d2d08348d4f8420da78eda458d595b4fe2adbc684add7b14
Static task
static1
Behavioral task
behavioral1
Sample
hell.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
hell.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
hell.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
hell.bin.exe
Resource
win10v20201028
Malware Config
Targets
-
-
Target
hell.bin
-
Size
17KB
-
MD5
767b5f0d52f3c7af12ee5e45e445f046
-
SHA1
42a6631056347a92888c53d36f97018b8fa5f9ba
-
SHA256
65403f6f0be0d76e157417c5d5b12023177ef451c2503857f13e9cd0e1e7f6e5
-
SHA512
be6eaeebb0822cbae55bd5b044f6dd1bd383fa07499010b1cfe17f37e997cd070a16bed705e6f232ac33be29d11787a8611e688632e0a5de3f21717922b4764d
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-