General

  • Target

    luzhou.exe

  • Size

    2.7MB

  • Sample

    220109-q1e68adhbr

  • MD5

    3ae6147ee830216aa9e60610a5a46409

  • SHA1

    e56fe77b928782d7de59323a1d2543059f820a30

  • SHA256

    067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65

  • SHA512

    c256d66f909dd75322890d4b21b86559f04f877768994e011b9e0030c57a9d72637799f291da8a7e67aa71aecd4faf5fb02c76a97a6fcbbbef680b3489b3d2c4

Malware Config

Targets

    • Target

      luzhou.exe

    • Size

      2.7MB

    • MD5

      3ae6147ee830216aa9e60610a5a46409

    • SHA1

      e56fe77b928782d7de59323a1d2543059f820a30

    • SHA256

      067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65

    • SHA512

      c256d66f909dd75322890d4b21b86559f04f877768994e011b9e0030c57a9d72637799f291da8a7e67aa71aecd4faf5fb02c76a97a6fcbbbef680b3489b3d2c4

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks