General

  • Target

    97f8f7a08a23c4119347e1ac94b3fdaf

  • Size

    2.6MB

  • Sample

    211019-259geahdap

  • MD5

    97f8f7a08a23c4119347e1ac94b3fdaf

  • SHA1

    5268ac027ae7436f0f4f342f6f1a39f3f02db118

  • SHA256

    6e98fc5ea72ba14a5606fa481a46ced465d64c915f122bed42f7fad7cd9056f6

  • SHA512

    e4c9422b1a22fdac9ede3eafb0523556cd2252ae65aff63ac82d221e56c9a20b91b04be4a95134474058993c8ea4853805edb001f9b38aea72221da6ee0aab8d

Malware Config

Targets

    • Target

      97f8f7a08a23c4119347e1ac94b3fdaf

    • Size

      2.6MB

    • MD5

      97f8f7a08a23c4119347e1ac94b3fdaf

    • SHA1

      5268ac027ae7436f0f4f342f6f1a39f3f02db118

    • SHA256

      6e98fc5ea72ba14a5606fa481a46ced465d64c915f122bed42f7fad7cd9056f6

    • SHA512

      e4c9422b1a22fdac9ede3eafb0523556cd2252ae65aff63ac82d221e56c9a20b91b04be4a95134474058993c8ea4853805edb001f9b38aea72221da6ee0aab8d

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks