General
-
Target
XtraTools.exe
-
Size
11.0MB
-
Sample
220522-arvybahdbl
-
MD5
607d22545f3a0d3cded156a416703d9f
-
SHA1
e785570f495928e346031095220a6a2b3b7d6a65
-
SHA256
1d943db5a108ff4e8438ee06c8b6d06c0d02b7b26fa6acd19b1d0c63cdc26e8a
-
SHA512
8efa0711b766b3c52963e772029123064be4ff3ecc823678104762b4887677d46403c350e9fdc22a985b971b9688e46831fd0777d689cff82cab409ad435c8ad
Static task
static1
Behavioral task
behavioral1
Sample
XtraTools.exe
Resource
win7-20220414-en
Malware Config
Targets
-
-
Target
XtraTools.exe
-
Size
11.0MB
-
MD5
607d22545f3a0d3cded156a416703d9f
-
SHA1
e785570f495928e346031095220a6a2b3b7d6a65
-
SHA256
1d943db5a108ff4e8438ee06c8b6d06c0d02b7b26fa6acd19b1d0c63cdc26e8a
-
SHA512
8efa0711b766b3c52963e772029123064be4ff3ecc823678104762b4887677d46403c350e9fdc22a985b971b9688e46831fd0777d689cff82cab409ad435c8ad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-