General
-
Target
Tornado.iso
-
Size
331.0MB
-
Sample
211021-pt2afabbdq
-
MD5
2ce6a31993822bc5f286f04fa73c517b
-
SHA1
16497f37d84928fcf06fb0c81b53bf2224892ac4
-
SHA256
91d48cd8799643b9e70cc8d7f1abcab8a8a8377090d03623d28d8222c76b0d58
-
SHA512
3e2d1e2c61c9a460978c0a2b8c656f68b2f5486927a6c0240190447f41f16b4ab2604ef37cca532387dab51de6f69b8b46c9564c4aad1e80ecd1949afed31463
Static task
static1
Behavioral task
behavioral1
Sample
Tornado.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Tornado.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Tornado.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
Tornado.exe
Resource
win11
Behavioral task
behavioral5
Sample
Tornado.exe
Resource
win10-ja-20210920
Behavioral task
behavioral6
Sample
Tornado.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Tornado.exe
Resource
win10-de-20210920
Malware Config
Targets
-
-
Target
Tornado.exe
-
Size
331.0MB
-
MD5
2acf755a8825894b837989ce1ae3db1d
-
SHA1
17d5590e64a1df1470e83f79eb935d78bc218c2d
-
SHA256
876dbe0fdf3f4ec70bd1985bf7c6f661b1105efd591407a6dd7ca7506bc61adf
-
SHA512
f5ca9da28f33097e92714f1e329d62fa8b98afe35bdaaf9e4941ad8f46c9350df74117b4712abc83c7bf44d6a1cb357b44bfb426d7ab0eeb88b3c813e99eef4b
-
Registers COM server for autorun
-
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
suricata: ET MALWARE Arechclient2 Backdoor CnC Init
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-