General
-
Target
csrss.exe
-
Size
2.1MB
-
Sample
210418-p9s2m97j72
-
MD5
2a9be7e5bc1de20522b4e71159159956
-
SHA1
53b6034d122211f7e3937d5f61325d3211842848
-
SHA256
f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e
-
SHA512
af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0
Malware Config
Targets
-
-
Target
csrss.exe
-
Size
2.1MB
-
MD5
2a9be7e5bc1de20522b4e71159159956
-
SHA1
53b6034d122211f7e3937d5f61325d3211842848
-
SHA256
f0e98cc9e77c4b14e67aae84dcb833f9d40a536a253cca74409fa195cb35154e
-
SHA512
af42bc88d9de45a575ce63be246706e98e0135738b63d1f02d28fb024487112736be72f7869822ceb8a16617b43a5235d41358b090d223e9913a1cfacd60e7a0
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-