fea70f1113b11df7ee03d4889418d06d1fa1f99d705aafdbdbfbace317812452

General

Target

--d8kxdir.zip
Size

9.8MB
Sample

220504-qgz3aageak
MD5

7c2d211e903c679f653ca6138b4cf110
SHA1

98cf44677ba20c3b927c5866a14289692d84c386
SHA256

fea70f1113b11df7ee03d4889418d06d1fa1f99d705aafdbdbfbace317812452
SHA512

a46ad87863441de74743bbb826dd0d1e960e2c3f1e86ff9b3873d8bab43cb41d06f5445ae463ce51b5f24a0808fbe887f5b79fe8e736f57d5b005af4583c08e8

Score

10^/10

Malware Config

Targets

- Target
  
  --d8kxdir.exe
- Size
  
  7.5MB
- MD5
  
  275c014963f2ef27dd3e39e9c60d9da7
- SHA1
  
  53bf33dad945c79396eefdadd9f94f0c98750ba1
- SHA256
  
  7dcbc5676b17a35dfff8197bddd6c3b4575b2ec8e3f46afe3521983400d996ce
- SHA512
  
  ba0e2577d8761c649ab2bd7d0888d3c079b41c9fe4e7103d5698862df12b2e1c38c6233baac6cd9c0ccb422b36e44d5a3d7e46f7311aa099149ad41137b67b4d
Score

9^/10

discovery persistence spyware stealer upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  .............exe
- Size
  
  3.9MB
- MD5
  
  1c9d03acc5ce4d1565e01418e2892087
- SHA1
  
  345be215d0017d06a3934150105389730038fa69
- SHA256
  
  bdb03d50cba10bbbaea2409521c515d15f3e674e6ccabbadfec319bdc08cd1ea
- SHA512
  
  1442ad0b3af4fddc1c6980426a25f6d2c4b033902b8cc42596ad0077385ca3d56e4fed4517a61fe4d5b5b185b34030196ac9c5dcc61d93fd48292aed2b7998e8
Score

10^/10

spyware stealer discovery exploit persistence
- Registers COM server for autorun
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4