General
-
Target
6064699289141248.zip
-
Size
9.9MB
-
Sample
210315-zmnfx2rcqx
-
MD5
8d072a859ec10c7eb02a3c4ff24ea2bb
-
SHA1
69a9d0eefc5b101fca7c29023c9b7beadc97e3e4
-
SHA256
253de8145c186c3d3ff60304eab1f23f4fdd50eb38a212c94847578226af433c
-
SHA512
939105292ce45123c91b533d65dd0fd228841f3da64d59a99074994b5502c759cb6ff15f7b322b45cb69ad12db2078d02f2e2360e3b98cab8e11083315f718d6
Malware Config
Targets
-
-
Target
080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5
-
Size
1005KB
-
MD5
9c7795073fe543136748180a9d22abec
-
SHA1
3b1ffb90e59e01d33444ca5516321cebd55a2e7c
-
SHA256
080540b15c90a082697cfa8fa08e0d31ab4e8d12035b69df52a71da41f5e7bf5
-
SHA512
363dd2f8775b766fcf14f5aa629dbb36e169d45bf0091814ad3ed0f5d0a787a3eb35758eef3bfd55325eabcf7576f3bd009e7408d17b4569d1ea92d3db9a746f
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
16937c50e9597e6d3ce66dc15632eee53ad10c32bb077d53baf0c4368b8a359a
-
Size
4.3MB
-
MD5
a9db364c68ce56a448ead48291fa0cd3
-
SHA1
1550491d8a926cbabbd5dc963a4f41dd3b5b6826
-
SHA256
16937c50e9597e6d3ce66dc15632eee53ad10c32bb077d53baf0c4368b8a359a
-
SHA512
84b46388ffbe733c0ad9472ed0d811db1affa7ec3b6b218cf0f90a9685d2dfe55e7bf37194af147ae555315c5fa6ee00fcc98a8dad5cfd80120e178433e5db1f
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Checks whether UAC is enabled
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
2fc4602468f243f742b496683ee9bd6ff22c4c85b56567eff3df2bf7ef5c495b
-
Size
100KB
-
MD5
ab3bfa9ef77a888353ed05d0bed7e931
-
SHA1
71c44b922b3de2db1e6c63a846e92850973526fc
-
SHA256
2fc4602468f243f742b496683ee9bd6ff22c4c85b56567eff3df2bf7ef5c495b
-
SHA512
4e48b0f765a8a9af0dfe035b98c9ea2b3928a802111e04f12b82d8f7222b9565006e6c282451a26ee33ea0b581502ca5c475e76ebfc001cb16d4b93d02e24b81
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
2fd826bdb83c394de8e5c660cb4af4885e071c96db236e80503b3c4ef048b414
-
Size
57KB
-
MD5
def91e622f9982c57fbf135737169d09
-
SHA1
323469e58973010b1f382584806f5969bb1bf13e
-
SHA256
2fd826bdb83c394de8e5c660cb4af4885e071c96db236e80503b3c4ef048b414
-
SHA512
a3c0ffe74f1b32c521b7b659a235aa10a49478f2ed750d656fae580b7ae89b3a42d00535b4bc14336d1d6dbc829b0dc1b32635a7d076178c15372fd6986023bc
Score8/10-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
-
-
Target
cool summer.exe
-
Size
26KB
-
MD5
652aecdc55ed88c7ddccda09adda2df1
-
SHA1
2edf5f1ec2124c94d95e2ccc35146e356d164c31
-
SHA256
7b77c970b908b1581fcc73f94d99b1c24a0945016448993712d322d1937a5318
-
SHA512
70a19d30f1a1452c79873a95392f62bc8eaf81545292be6f28f51d8b1060ac35be5d4fc431c4238c7b3fbb3ffa274fce7955c5a4424365a070777a98a41eac63
Score3/10 -
-
-
Target
iext3.fne
-
Size
380KB
-
MD5
07f0db2727c8288cd2cf7c4cf352708d
-
SHA1
caf2d1b631c785c1f6f01189cf841fc2661666ed
-
SHA256
3c18183857979a2b5664d3f852f74e3f31f0626720654914453e964938e18f5e
-
SHA512
b81029a2968663a180feca2e3e47f4736f87a7cc73e6a9153aa227b91d963e077f44c5a289b9f64d6b481b7bd5ccb4bcb762048a4f29810c1f4fd4e6106cb0d3
Score1/10 -
-
-
Target
krnln.fnr
-
Size
1.1MB
-
MD5
638e737b2293cf7b1f14c0b4fb1f3289
-
SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc
-
SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b
-
SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12
Score1/10 -
-
-
Target
xplib.fne
-
Size
48KB
-
MD5
37a58e1c5ce48e401ee8dd1d1da54814
-
SHA1
a87d00d78838c2d968b72330ee6f21f69b2caae5
-
SHA256
1c426928fb90bedb31fcffa0f3fbe7bdbca4259f93f5abdefed6a9a089f2982c
-
SHA512
e85052fc305040bdcaf47262e0ce6eef0848b319baac72a076dc94e7d20ea7ad8fbdd7d5381606a3154ab84fe81429bb339123ac1cd94551b1dc9cecfb7a08bf
Score1/10 -
-
-
Target
4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083
-
Size
25KB
-
MD5
cd4cc1545d329de2398ff457e712edb2
-
SHA1
969b04cf87e367ad0c29ffc8c039cdde63196637
-
SHA256
4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083
-
SHA512
4ed085bfc53b63c2d25fff05d919731d3dd151759803062b964275f3881f16e3ac77c415e1ad3a94ed46dcc889d1b3eb9932372e81dbcb384339c913500f2fa9
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
485e37b429bee1807d1cc52afa3de654928bd2a17f71b028abe71b1abac7e3f9
-
Size
81KB
-
MD5
41d039d3633ffa1f70c61ae96fe2b8e8
-
SHA1
c6e67978244671733cb48fad28e5a1c15944c921
-
SHA256
485e37b429bee1807d1cc52afa3de654928bd2a17f71b028abe71b1abac7e3f9
-
SHA512
9a202a59cb98e95208af5c9f7a2e71b5bbc9508ec9797f0450c62c3e2ab1dad0eb47b182a3cdc5c4d23179a3e03ca664e1923460911443227ac116698f90b4b9
Score1/10 -
-
-
Target
59c049de6d7f42e5739b586fe1fe0dff6318328555f82a71080d03763d08d314
-
Size
951KB
-
MD5
9fb6c6868de1100fc5b93f867a774587
-
SHA1
80974a833e924742924c267c2b3c5067fd863dbb
-
SHA256
59c049de6d7f42e5739b586fe1fe0dff6318328555f82a71080d03763d08d314
-
SHA512
4078beb194448b2951cc2b4b9ea374b0d2bd267d096c40954b8b76fbc4ddd66392614789f33e561492d2d1440fba631e887fab495addc5583b0b1dc4c2cd3c43
Score8/10-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
-
-
Target
641da56f29c645a544f19c88f54c1dfcf3a7f52711c5b0ff8826cf36bbaef3fc
-
Size
731KB
-
MD5
0e1f62103ac0bc7ea1264470601c72ab
-
SHA1
c8880427dfdb0dbf1bbe637a9c342c29a165dacd
-
SHA256
641da56f29c645a544f19c88f54c1dfcf3a7f52711c5b0ff8826cf36bbaef3fc
-
SHA512
8fd68e87bc607fb962709b9ef0bcfdec39976c6f2d5d80acee826d99427f01df8b20e912a86c63a6a0d73968049a1d4ac28107aa29c5edbd73aa1b26a0b9a9ac
Score9/10-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
64b4fe7baf53d40ac6ab1fd13bdcedb48f38b37c76d792b93da00bc3ba195260
-
Size
81KB
-
MD5
9d603f0329d9004c719c4effdb7f1830
-
SHA1
94cbbeba0f283da589464ab9c087caf8c3bf7b02
-
SHA256
64b4fe7baf53d40ac6ab1fd13bdcedb48f38b37c76d792b93da00bc3ba195260
-
SHA512
eafc2f35b54335d3ab6a2ab5472127c93c46c8097900eb01ecdbf7b9903c560a63fe43d9adb9c6588308cefe8f31e391f7865f39bd0ad98e018e260d8a1ab64a
Score1/10 -
-
-
Target
74368a064edba03fecd56aeb572127318861fc9b9d14851cd46029cd5a270ee0
-
Size
939KB
-
MD5
9a8a41462d8c437a1861304151333084
-
SHA1
4de7438431f5fd3e2545e5ab77ac02032b01e923
-
SHA256
74368a064edba03fecd56aeb572127318861fc9b9d14851cd46029cd5a270ee0
-
SHA512
1cdf4e800310359e490284d364228631333499a3019e5a84fbd6f3c63780f38899fcdfd77510892fc5d0f000d822b5b33f6e1eb5a25a85c255360422db341458
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
c087a84574092eba9510c17f425853ce
-
Size
128KB
-
MD5
c087a84574092eba9510c17f425853ce
-
SHA1
015a499f638d2c3bbb453ca98b31a3ac6203b2b7
-
SHA256
2a56e792c187c3b59f0f62b58dcd92d8137581ad83eeff0b86c120e78c3bba13
-
SHA512
68df03dc8ccc6d386f4c00c2491c0ce0e337af3f46c89bb586894901215280ec171a032b6913fe6201f92324c1cdc049f0515e9b65170352957cf0d19eec21ce
Score7/10-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
90eca63d6ac05c375af58247435cea9fa724335f946e4576986a25a553dcb852
-
Size
59KB
-
MD5
dc014e9681ed57207d64443cb2bbe34c
-
SHA1
e56f420bfb14a01b042563e1bdf6380c1a45a76c
-
SHA256
90eca63d6ac05c375af58247435cea9fa724335f946e4576986a25a553dcb852
-
SHA512
347113544311ce154da6c1755e7a5b9ebac00c9b4fa9d91e58ef81bf886da0b3faef453fe12e965b003f59890644742786ae14b2671196443914fc3a8c7bac1f
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-