General
-
Target
open__with_Pass__1234.exe
-
Size
1018KB
-
Sample
220107-padd9scfcq
-
MD5
e0e78d14f28a5d23cab7b4dcb86a18a3
-
SHA1
6a502c655b11c224ae0c75bbfb7c90f5a3281ced
-
SHA256
af0b1d54f4b625461c6bad67daa6566d1ab2047fee5cf2b81c35b191f044ce9d
-
SHA512
5c1dd166b003182c93c286a0c87cf72b434075badd8c99ad5f8ca07e6fa36c3aeb1e8027816ebede87ad45b2a885eff8d3d6852dea03d0fb04aeb16580a0e3ef
Static task
static1
Behavioral task
behavioral1
Sample
open__with_Pass__1234.exe
Resource
win7-en-20211208
Malware Config
Extracted
cryptbot
zyoouw55.top
morlse05.top
-
payload_url
http://yapome07.top/download.php?file=combir.exe
Targets
-
-
Target
open__with_Pass__1234.exe
-
Size
1018KB
-
MD5
e0e78d14f28a5d23cab7b4dcb86a18a3
-
SHA1
6a502c655b11c224ae0c75bbfb7c90f5a3281ced
-
SHA256
af0b1d54f4b625461c6bad67daa6566d1ab2047fee5cf2b81c35b191f044ce9d
-
SHA512
5c1dd166b003182c93c286a0c87cf72b434075badd8c99ad5f8ca07e6fa36c3aeb1e8027816ebede87ad45b2a885eff8d3d6852dea03d0fb04aeb16580a0e3ef
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-