General
-
Target
5357827141566464.zip
-
Size
581KB
-
Sample
220109-l9rjdsddg5
-
MD5
f031bf307cb5d7a3da2992d095c794fe
-
SHA1
d8a4d89002cf0eb0d4db74a646d620aa8e870a2a
-
SHA256
30f8d722480f208b7521632343cb6f611eafba1bc0a8c82c6f11cca6aefea914
-
SHA512
f534cf37e951aa3ca75edd304dc35562cabfa4fcc5eea2622ba4865b238dd3c37e774aa3b3d0a25a350f86caf72893203b56edb9b47e008307634b135c185406
Static task
static1
Behavioral task
behavioral1
Sample
ce04a8f39383e80f77502ff18cfd4e0512e609f4cded12676f499bbd3b647ddb.exe
Resource
win7-en-20211208
Malware Config
Extracted
cryptbot
zyorsx75.top
morvue07.top
-
payload_url
http://yapkbc10.top/download.php?file=luzhou.exe
Targets
-
-
Target
ce04a8f39383e80f77502ff18cfd4e0512e609f4cded12676f499bbd3b647ddb
-
Size
1.9MB
-
MD5
a35f9d40550c66e04a1ef4ab5444a918
-
SHA1
1459bafec585d11708b5d71b5823a6989f7dfb38
-
SHA256
ce04a8f39383e80f77502ff18cfd4e0512e609f4cded12676f499bbd3b647ddb
-
SHA512
9dcea4984088a4a71d35042b4ad4197037cbd7e63b47be1af704f0cd9a12e2163f81e64dc3c5970f056b8189198c3d46fc58e5cb31eac7f03607c272d5c63421
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-