General
-
Target
hell.bin.zip
-
Size
7KB
-
Sample
210224-ll5cw24c7s
-
MD5
899a38ca4a2783723e9cce5924cd4526
-
SHA1
ec874603c0a37644e9ee4a9361d94da1fde50373
-
SHA256
d71d1f411026ddf3124660d50f2e65a42b7ad4637459c9c86d13028a30a0cbb5
-
SHA512
f9f6786d554333f895f3cc169e99064d93d0e64f0df381e706ff47c3ec10752ec7d8fd7ecd363536d2d08348d4f8420da78eda458d595b4fe2adbc684add7b14
Malware Config
Targets
-
-
Target
hell.bin
-
Size
17KB
-
MD5
767b5f0d52f3c7af12ee5e45e445f046
-
SHA1
42a6631056347a92888c53d36f97018b8fa5f9ba
-
SHA256
65403f6f0be0d76e157417c5d5b12023177ef451c2503857f13e9cd0e1e7f6e5
-
SHA512
be6eaeebb0822cbae55bd5b044f6dd1bd383fa07499010b1cfe17f37e997cd070a16bed705e6f232ac33be29d11787a8611e688632e0a5de3f21717922b4764d
Score10/10-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Nirsoft
-
Executes dropped EXE
-
Suspicious Office macro
Office document equipped with 4.0 macros.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-