General
-
Target
06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928
-
Size
2.3MB
-
Sample
220605-skg2zsfhcn
-
MD5
f7c557fc2403c86746f2f45a25b98920
-
SHA1
fe7761f978e3d956cbe1c16a2ac4146b6ede54a9
-
SHA256
06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928
-
SHA512
a52ca721f7f17380bb26cf80e7515c53f39cab9453e21f6515c39975fa3c0cbc05d3e15efa4cf0c23035e9ee42c778f3cb0930c1f299fbd4c34b020f6af6fdbf
Static task
static1
Behavioral task
behavioral1
Sample
06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928.exe
Resource
win7-20220414-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928
-
Size
2.3MB
-
MD5
f7c557fc2403c86746f2f45a25b98920
-
SHA1
fe7761f978e3d956cbe1c16a2ac4146b6ede54a9
-
SHA256
06fc2a1a5b0e282508bbf99ddb356cd8cde51ec3ef5327fa482197a4bc01d928
-
SHA512
a52ca721f7f17380bb26cf80e7515c53f39cab9453e21f6515c39975fa3c0cbc05d3e15efa4cf0c23035e9ee42c778f3cb0930c1f299fbd4c34b020f6af6fdbf
-
Modifies firewall policy service
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Install Root Certificate
1Modify Registry
7Virtualization/Sandbox Evasion
2