General
-
Target
open__with_Pass__1234.exe
-
Size
2.2MB
-
Sample
220102-qlnj2saeb7
-
MD5
fee1fdf36972ab6f9c6f4b9f51b08029
-
SHA1
dede9e00a4dee0ca1580815b25fba6639ce60a75
-
SHA256
1a7b82468f3a677663daab8f8142ff99cf65465d6a772f71c655b55f05395303
-
SHA512
85965d45a3eebc013e0b0f618dec95fab1201f46ec862045aff5ffe7b17ebee70671cdcbdea439a8d4e7064f5e164cddc7dd108355807db8abf64f160d1e2d8d
Static task
static1
Behavioral task
behavioral1
Sample
open__with_Pass__1234.exe
Resource
win7-en-20211208
Malware Config
Extracted
cryptbot
hevuto75.top
morhmu07.top
-
payload_url
http://kyrolk10.top/download.php?file=aswirl.exe
Targets
-
-
Target
open__with_Pass__1234.exe
-
Size
2.2MB
-
MD5
fee1fdf36972ab6f9c6f4b9f51b08029
-
SHA1
dede9e00a4dee0ca1580815b25fba6639ce60a75
-
SHA256
1a7b82468f3a677663daab8f8142ff99cf65465d6a772f71c655b55f05395303
-
SHA512
85965d45a3eebc013e0b0f618dec95fab1201f46ec862045aff5ffe7b17ebee70671cdcbdea439a8d4e7064f5e164cddc7dd108355807db8abf64f160d1e2d8d
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-