Overview

overview

9

Static

static

ppdjdafasq...??.url

windows7_x64

6

ppdjdafasq...??.url

windows10-2004_x64

6

ppdjdafasq...06.exe

windows7_x64

9

ppdjdafasq...06.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0aeb86699aaeabff70d60aaad71285d9a942d8e9f0f230df858ed9789ab4a25a

  • Size

    1.9MB

  • Sample

    220530-f9bv2sefd3

  • MD5

    c4ea4d1b3cb6ea95452258464d7c5c63

  • SHA1

    e561e89f837cd99c9d21e7c99ee9b86d12776489

  • SHA256

    0aeb86699aaeabff70d60aaad71285d9a942d8e9f0f230df858ed9789ab4a25a

  • SHA512

    bb92a99bc4ece69b768eae9d96376c5b2b6f4f5670fa2f0a37a87b7fb8d1497aec8ec57846d3f30e898b5aa21f87f5c61d31fb6d3c4f18ed9494c41e82f385a5

Score
9/10
evasionpersistencetrojan

Malware Config

Targets

    • Target

      ppdjdafasqfz_gr/??????.url

    • Size

      219B

    • MD5

      122e953f3a92541c27cc62db2d9bb0f7

    • SHA1

      5c85d98b4bce0daac9631297ddb00b005161d131

    • SHA256

      5bf9390d32df4da5ddb91425fc5002768a85305964a8e0cb8eda391b4b6511dd

    • SHA512

      77240964186d2e9c9c73ed6bf13edccaeb40c0d8cbf477080c9a40a76d044964330e97421e4b45818bfbb2688e6bfaf6720a52f2efdd3b944f3624b1b5767583

    Score
    6/10
    evasiontrojanpersistence
    behavioral1behavioral2

    • Target

      ppdjdafasqfz_gr/???????????6.06.exe

    • Size

      1.9MB

    • MD5

      189e90af285ac23f7c7e613455e78e43

    • SHA1

      7353341eb1cdea65e69be679bd5d00c7faf9d63e

    • SHA256

      fa640ccad7e977a775f19e69a317d07c163f9dce07a2e984d45f3579eefb4f30

    • SHA512

      3702ed7e63d9bb0497e84e50e98309cc5d38032f2c0663d1d2b80bf78d3027cbe7f85bb52c7864d96262c9df96f32f02d54ec19877188054e721310d0a8f5353

    Score
    9/10
    evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

System Information Discovery

5
T1082

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks