General
-
Target
-setup-EP4hSEO.zip
-
Size
12.2MB
-
Sample
220609-hmsamahbgr
-
MD5
ffaed703eda0f2794abac48f481814ad
-
SHA1
cecb6ed759d27525fd9d0fd17c1325959ea45008
-
SHA256
93af2dea04dcdf910e7e8935d97ef4152234433f070d76e2621db0fb8462bfa8
-
SHA512
760cb17715b580fdb293e02769999553f08804ec2239757ae1f9b455d00867d3061a66b46b58aac660546d436bb27f00da3f665131b6b9cf9cb1b97e5cdba3a6
Static task
static1
Behavioral task
behavioral1
Sample
-setup-EP4hSEO.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral2
Sample
.............exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
arkei
Default
Targets
-
-
Target
-setup-EP4hSEO.exe
-
Size
6.9MB
-
MD5
ad6f77750e2dcc496173ae38c404e27a
-
SHA1
5b328534d8afdd5a13170b91cddee3be6be7c0ab
-
SHA256
45cc6b4e95694369805efde940f551c9bfa3d3b0d7589d83d7738273a6832b64
-
SHA512
1ff9dbfcafbfeffa0a36dfb4865d29d0be9aeee987e49607143ca24ab9d80ad86674b483571e541deb049771b804167a36bf7c8ddaef4dce5b0536a160b1951e
-
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
.............exe
-
Size
5.8MB
-
MD5
288d7d66024b6562feeb4d6baed41849
-
SHA1
cb9efb823a462d1afc8057839fecd224d661102a
-
SHA256
7dfffd124e41f73e266f806951457060dfff9950caca0fcd1c542ff5e9a21e34
-
SHA512
1793b4c153f4277d65cf99b2758c586f4a59234760916280deab35ae69bd48b3584ba76474243ac67efb98c052b4e9a184c16b93b10ea92292eac46224cf334a
Score8/10-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-