General
-
Target
ACTIVATE____SETUP__4695.exe
-
Size
744KB
-
Sample
220130-rp54yadaa7
-
MD5
849bf640bf914ec675b9477a802a22f9
-
SHA1
e1a12595f8c9d48416ec342cd4037a32f3fdda24
-
SHA256
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
-
SHA512
763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1
Static task
static1
Behavioral task
behavioral1
Sample
ACTIVATE____SETUP__4695.exe
Resource
win7-en-20211208
Malware Config
Targets
-
-
Target
ACTIVATE____SETUP__4695.exe
-
Size
744KB
-
MD5
849bf640bf914ec675b9477a802a22f9
-
SHA1
e1a12595f8c9d48416ec342cd4037a32f3fdda24
-
SHA256
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
-
SHA512
763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-