501c9cdf21d2e7d3816efb23747686aec989b9f987281113aa5416bef627dbaf | Triage

Sharing

General

Target

501c9cdf21d2e7d3816efb23747686aec989b9f987281113aa5416bef627dbaf
Size

3.3MB
Sample

220520-e53yasaag8
MD5

0ab333eb9f61e8df44f6acfffdfc98b2
SHA1

e9eb2e45d39223adb9c028db5fd1b56eb3c619fd
SHA256

501c9cdf21d2e7d3816efb23747686aec989b9f987281113aa5416bef627dbaf
SHA512

7ea0d62c5aa78a8e287603af09b896fb5c1042f80feabaeea6ed6639aee1ce5ab4cc47837fdb8aad906a3f6552be28cf2e899355188e5dbbcd0c6538134fc41a

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Targets

- Target
  
  BlackDesert Online PAZ Browser.exe
- Size
  
  1.9MB
- MD5
  
  4a1c0fd0dea70de9898517ac5c37d766
- SHA1
  
  38bea50aa5e4f0693bbebac4c12bbcb469b045b0
- SHA256
  
  e17f07f62bed84c388121ef63ecae48ac69834ae4cdff92b5f8871ed88f67c62
- SHA512
  
  a3632a5c15a0d5b84e28fc7e2f95a5b73e8f08037c1415682592eceaf9001aa971135cf534a4d039c9bd8854e0c08359ac300a27c429e592879367b7ae83c195
Score

9^/10

bootkit evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Libs/MahApps.Metro.dll
- Size
  
  780KB
- MD5
  
  2871fa8aeabf5fd88de5e6d03eaa60fa
- SHA1
  
  1e40c0ae40a583f7ecfc7f2a4607c61475952309
- SHA256
  
  977e2267b546ec825a4610a7e8fc4c09dce4e97888621cefd306bbd562f29066
- SHA512
  
  afdefca73b08e86663b311e5fba24a37f22195ec2a5ce09867e6a543bdb6667b58e1168b1ff981e7ff7ececa413f4791eff725fc350d351cbb646aae8ad9a5f1
Score

1^/10
behavioral3 behavioral4
- Target
  
  Libs/Microsoft.Threading.Tasks.Extensions.Desktop.dll
- Size
  
  46KB
- MD5
  
  e548a93d16964e52868c47cef1c98f2e
- SHA1
  
  4b96b0aa48f6ac050a764c7d65f4129a9bb8cf21
- SHA256
  
  f71621c47c610e0886846cf53d955fd0e7448951f99ecc22facd47493ef97a87
- SHA512
  
  fd1377b5d2d792eccf2ab9a01529838f178126fd6748da8e27cbc908ea83813fb4de021aa88989186459fef1c11be76aaf8b29b2291203d5f34f98361acf77ab
Score

1^/10
behavioral5 behavioral6
- Target
  
  Libs/Microsoft.Threading.Tasks.Extensions.dll
- Size
  
  30KB
- MD5
  
  6aa2393ff1fde1a61d0cf51730428f74
- SHA1
  
  3c847a95a6547aa49919789d7a0cb6ed76122849
- SHA256
  
  92f1d0d6ccfb0d030789f3c5c636fcdd08f6d0541a5a54f185e8ecd85592e3f9
- SHA512
  
  1af984ec56885cdea9a0e379d659b65196713571377e2db267259dbc1f8748f1a610b0183a8fea3730f0049c3468f632240475730563c6413cbc88cc76032d91
Score

1^/10
behavioral7 behavioral8
- Target
  
  Libs/Microsoft.Threading.Tasks.dll
- Size
  
  36KB
- MD5
  
  d01819bfe03222dfa9e35a36555b6b6c
- SHA1
  
  25f8069590b14724f28e6a04b8a42e4ef4a8562d
- SHA256
  
  5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94
- SHA512
  
  e63901f39315972e446768f2c14b4279cf1dd382f97ac90c444c4d858c2a486736a259c47245026b11e5c0846310e7da020bf2466ea91aa0a15d22cb67b37477
Score

1^/10
behavioral9 behavioral10
- Target
  
  Libs/System.IO.dll
- Size
  
  20KB
- MD5
  
  05aa69dfc063cd17312348bcb08a1f4f
- SHA1
  
  9ac9b30c8a15ff8ca4357df532a3cf9fcf252f6a
- SHA256
  
  66400c153c76b965c9156c31aa34453caef250056c5dd0888dac011d7a3f7f4a
- SHA512
  
  1f43ee7a1fb085270b6cdb0aef28984b8e53532b8b2347fce8ea1910818b8b6104461670d3a86ca796fe0fa1a16c953aca7d29aa92fb1cd4a9c98712fb5d8000
Score

1^/10
behavioral11 behavioral12
- Target
  
  Libs/System.Runtime.dll
- Size
  
  21KB
- MD5
  
  7b864dd560373e17f38338dfdc299182
- SHA1
  
  0ca4686635ac12ecbed9050e98117242b69fc004
- SHA256
  
  0f1f595042419911eef073fcc6a7f3d1ff7cb360dde964db0ca0fa136264aeae
- SHA512
  
  dadbe37d03021865c709ede5ffd247c1f9f34cf912e578d3f75e829be9e30735c334b48507e0324b33dd619cdae1d07b74fd81f4c19d271983f7f1e90a340fb3
Score

1^/10
behavioral13 behavioral14
- Target
  
  Libs/System.Threading.Tasks.dll
- Size
  
  33KB
- MD5
  
  1183ca0085c8b22276342c342a4f2e02
- SHA1
  
  c6271bf1da0c0b2f729246856616a577dc84ca5a
- SHA256
  
  718db47e2fa88d0dad322c6255a22fa2cb1b635a6c5be06c672572f1b0a6642f
- SHA512
  
  2d8a6646d80d1343b1de11f54113b233d7c9fed13f70a7d515abafb31b1108801dfb32d418471f0772b42a9ed567c5cd80a32371142f3c5048861dceb42db3ac
Score

1^/10
behavioral15 behavioral16
- Target
  
  Libs/System.Windows.Interactivity.dll
- Size
  
  39KB
- MD5
  
  3ab57a33a6e3a1476695d5a6e856c06a
- SHA1
  
  dabb4ecffd0c422a8eebff5d4ec8116a6e90d7e7
- SHA256
  
  4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876
- SHA512
  
  58dbfcf9199d72d370e2d98b8ef2713d74207a597c9494b0ecf5e4c7bf7cf60c5e85f4a92b2a1896dff63d9d5107f0d81d7dddbc7203e9e559ab7219eca0df92
Score

1^/10
behavioral17 behavioral18
- Target
  
  NativeDecompress.dll
- Size
  
  1.2MB
- MD5
  
  84b679ddb4975de2d2fc0e1a37042ac5
- SHA1
  
  5e80e5df5514ce5603578c738a63210ef4c2f55e
- SHA256
  
  64284f7cddd51086946191dbaaf1d23869b99ef47892f250682c2d568aa874f5
- SHA512
  
  3c574ed06b7d798c1f92dad6019ee510b660fcb2267f91528cfcc94c96a003f55504d534aaea694baa87a21665c8c180e4e1ad5735041a779336f2996062ec2a
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitevasionpersistencetrojan

behavioral2

bootkitevasionpersistencetrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20