chinese_generic_botnet | 9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7 | Triage

Submit
Reports

Overview

overview

Static

static

tmp/xp.exe

windows7_x64

tmp/xp.exe

windows10_x64

Sharing

General

Target

tmp/xp.exe
Size

1.3MB
Sample

211215-jn54jsghh3
MD5

80526cfb4316313ed339ca64368f5fae
SHA1

96507bec2754a51dca329bb73e2b2c56ce73e269
SHA256

9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7
SHA512

38155a4b8713e78c737108a1c6ff119b06832121d789bec0ced3f7fa140c07d6478c320a4f5fa97834a1ec67b7bb1d7ec8c890fd0934b7bc5c5fbc3f27e037d3

Score

10^/10

chinese_generic_botnet botnet evasion persistence

Static task

static1

Behavioral task

behavioral1

Sample

tmp/xp.exe

Resource

win7-en-20211208

chinese_generic_botnet botnet evasion

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/xp.exe

Resource

win10-en-20211208

chinese_generic_botnet botnet evasion persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  tmp/xp.exe
- Size
  
  1.3MB
- MD5
  
  80526cfb4316313ed339ca64368f5fae
- SHA1
  
  96507bec2754a51dca329bb73e2b2c56ce73e269
- SHA256
  
  9aa1748979696921b27868393bbb69add33c1dbc89624ea3085119aaf76cc2e7
- SHA512
  
  38155a4b8713e78c737108a1c6ff119b06832121d789bec0ced3f7fa140c07d6478c320a4f5fa97834a1ec67b7bb1d7ec8c890fd0934b7bc5c5fbc3f27e037d3
Score

10^/10

chinese_generic_botnet botnet evasion persistence
- Generic Chinese Botnet
  A botnet originating from China which is currently unnamed publicly.
  botnet chinese_generic_botnet
- Chinese Botnet Payload
  botnet
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

chinese_generic_botnetbotnetevasion

behavioral2

chinese_generic_botnetbotnetevasionpersistence

© 2018-2025

Terms | Privacy