General
-
Target
878ae0892199581e106ef623d98801cab28341b1b969eaeff6a3704c580dce76
-
Size
3.3MB
-
Sample
211108-xdtveschc3
-
MD5
35ff5f54ce6916b53bddc3b3d4acb854
-
SHA1
f90ecfdef0c315285a43ee6f14717679916453cc
-
SHA256
878ae0892199581e106ef623d98801cab28341b1b969eaeff6a3704c580dce76
-
SHA512
a79a316ce197ccab1f9090436195557420f833ecb2bb84e1f15ab60beb0d2bd0c3d9b013b22c38ba3f53d3c430ae0295c842c2ca288cfbda3514d0acfc24fec3
Static task
static1
Malware Config
Targets
-
-
Target
878ae0892199581e106ef623d98801cab28341b1b969eaeff6a3704c580dce76
-
Size
3.3MB
-
MD5
35ff5f54ce6916b53bddc3b3d4acb854
-
SHA1
f90ecfdef0c315285a43ee6f14717679916453cc
-
SHA256
878ae0892199581e106ef623d98801cab28341b1b969eaeff6a3704c580dce76
-
SHA512
a79a316ce197ccab1f9090436195557420f833ecb2bb84e1f15ab60beb0d2bd0c3d9b013b22c38ba3f53d3c430ae0295c842c2ca288cfbda3514d0acfc24fec3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-