General
-
Target
Activate it.exe
-
Size
1.2MB
-
Sample
211220-gsl55ahff7
-
MD5
2aa8128b8188e0b038a033203fa1b7c7
-
SHA1
4a95d41e5631e77110e216e849ff353c189e2712
-
SHA256
e2437d4c62a734010fa04f779a68d888ff73c8a1dd9c937bf9edb54f96046ef6
-
SHA512
1b6e5998afa77b688276b1fcb1024bd39cfce2ce7fe199e1c1df7b05015d8a25aec435e0dd122963530295af3a6e7a032bd7ed5ff491dad421d0f5f544133885
Static task
static1
Behavioral task
behavioral1
Sample
Activate it.exe
Resource
win7-en-20211208
Malware Config
Extracted
cryptbot
sezscl73.top
morbaf07.top
-
payload_url
http://ekuqap10.top/download.php?file=gallah.exe
Targets
-
-
Target
Activate it.exe
-
Size
1.2MB
-
MD5
2aa8128b8188e0b038a033203fa1b7c7
-
SHA1
4a95d41e5631e77110e216e849ff353c189e2712
-
SHA256
e2437d4c62a734010fa04f779a68d888ff73c8a1dd9c937bf9edb54f96046ef6
-
SHA512
1b6e5998afa77b688276b1fcb1024bd39cfce2ce7fe199e1c1df7b05015d8a25aec435e0dd122963530295af3a6e7a032bd7ed5ff491dad421d0f5f544133885
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-