General
-
Target
a5b0a26ee96a47870bb4058f71f649eb2bcac0275c89a8eeda6d058fe98cbbd5
-
Size
3.6MB
-
Sample
210511-49d15rgr3s
-
MD5
7edc522f1dd53a98bdb4405d789d0e2f
-
SHA1
e59b28e23ed3c0b70c4f6ba63c41d24ff3e0c254
-
SHA256
a5b0a26ee96a47870bb4058f71f649eb2bcac0275c89a8eeda6d058fe98cbbd5
-
SHA512
1173b8ec85f37e69e649991e3e3c64da68b6d002a0b59c760e7933529f7f581f3d475ad4a8942c1f75febc1c045969f1b971050565fdcf2403cfff8f5c0ed1a5
Malware Config
Targets
-
-
Target
a5b0a26ee96a47870bb4058f71f649eb2bcac0275c89a8eeda6d058fe98cbbd5
-
Size
3.6MB
-
MD5
7edc522f1dd53a98bdb4405d789d0e2f
-
SHA1
e59b28e23ed3c0b70c4f6ba63c41d24ff3e0c254
-
SHA256
a5b0a26ee96a47870bb4058f71f649eb2bcac0275c89a8eeda6d058fe98cbbd5
-
SHA512
1173b8ec85f37e69e649991e3e3c64da68b6d002a0b59c760e7933529f7f581f3d475ad4a8942c1f75febc1c045969f1b971050565fdcf2403cfff8f5c0ed1a5
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Suspicious Office macro
Office document equipped with macros.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-