General

  • Target

    956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

  • Size

    454KB

  • Sample

    220520-grg5sagbdj

  • MD5

    29e6d27c57748d5d213aa77d707a2a05

  • SHA1

    9cf15e6d65557297fe4223fbfd48d3c31ca54734

  • SHA256

    956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

  • SHA512

    80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

Malware Config

Targets

    • Target

      956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

    • Size

      454KB

    • MD5

      29e6d27c57748d5d213aa77d707a2a05

    • SHA1

      9cf15e6d65557297fe4223fbfd48d3c31ca54734

    • SHA256

      956b829ffcde9070a7b78fd56d3e08dc3d91a0d73d4aaaca1ef573f5386508c6

    • SHA512

      80dd38fc5fa39cd79b4e9eb83557608f92ac4a2a8423cf61eb1ec7c3d3bff15ea1217898faeae3e69682a42918974d08938804b11f56a24b95431d215a7fea9d

    • Luminosity

      Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.

    • Modifies WinLogon for persistence

    • Looks for VirtualBox Guest Additions in registry

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks