General
-
Target
EAC-BE-Injector-main.zip
-
Size
8.2MB
-
Sample
210817-3vhaxetrbx
-
MD5
8e4e37b5eed8e8a9f3fc4df235fafbaf
-
SHA1
f1901a4e25e76a98f25651b6bb4a599c072db034
-
SHA256
2f550e12caaba848c555fc526c78f5880fa9e0b506dd4958a161a2403326abb9
-
SHA512
e1009fe016bd97834dea7d511a522f756c6fecc02cee05d64059f2394b9261fd1217ba69ff2f68fccdd2cbf20c8c112980d8cf60adeb35009e92115c0b8165a0
Static task
static1
Behavioral task
behavioral1
Sample
PagePoolInjector/qwindows.dll
Resource
win10v20210408
Behavioral task
behavioral2
Sample
PagePoolInjector/qico.dll
Resource
win10v20210410
Behavioral task
behavioral3
Sample
PagePoolInjector/injector.exe
Resource
win10v20210410
Malware Config
Targets
-
-
Target
PagePoolInjector/injector.exe
-
Size
3.4MB
-
MD5
cfc3984a2b7c140e79cd2ae42afffe42
-
SHA1
1a8061504f534700802a6a17ab609b2fc988ab71
-
SHA256
53c847547c4994568c24fd7381fc7225978bf1aeee758cc247366e4786411818
-
SHA512
3a5b88caa7e922b559d22eae67a836480bb17af06ebcbae0eb55be4df6e6bb7d721b572d5e25210ee9d2f98155820ba6e62de8fe788d2a8e01e2a67256601589
Score1/10 -
-
-
Target
PagePoolInjector/qico.dll
-
Size
30KB
-
MD5
f4d5454b19fa7304642dcf8af1312135
-
SHA1
a18fd6feb550f3aa629de8fd15d860ea09f14431
-
SHA256
ee44dc636bc74eb65decf5d5ec00148b2e74d3edc6d3753ed96fde0a02bd8f74
-
SHA512
4d0e017e088be0d614ce31d21da3a7c550f0a8fa2d89f6d5a835bc7d6b401b9098a8791b8bd1818d2fa62059535a537a9f599730b1b319c5724e78bad54c8fcb
Score1/10 -
-
-
Target
PagePoolInjector/qwindows.dll
-
Size
1.3MB
-
MD5
cccd2450d93d192881e8dc9e9b7b0b8f
-
SHA1
bb920b93ca8ca6a07d246af64e4c5be78556ccc2
-
SHA256
3f1c4aad186b8f3297f4a817c1b3d8fdaed786d0c963b61954756d57665f148a
-
SHA512
9b049c576a6aed18a7e151ce81d58d6274bc3c8b11fde014d98d3bbb225dc6e49992ce204aaadb42fbd8cc7c348308e2f791ce63e1f4b595da4990e3fc6d10aa
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-