General
-
Target
File.bin
-
Size
4.8MB
-
Sample
220620-vtd3ssfhfk
-
MD5
c38b1f5087b560432a9e4d401c9c7c7b
-
SHA1
7bd99ddd2e3b5836317d04c506f1cc89a5f90436
-
SHA256
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
-
SHA512
f09ed2df81cedf1767c5479f7a4f4c322e8c050b4ab5ccbbb8eb8ba87bcc188d67a7cb78a3c6c9a957d6bd1b9f8d9377e43b06ed464408faf3dce95a8a5c585a
Malware Config
Targets
-
-
Target
File.bin
-
Size
4.8MB
-
MD5
c38b1f5087b560432a9e4d401c9c7c7b
-
SHA1
7bd99ddd2e3b5836317d04c506f1cc89a5f90436
-
SHA256
f072f7896731668ac389aa1d7da8c1d12a858bcf58b6ef8d023ffa78ef3f4023
-
SHA512
f09ed2df81cedf1767c5479f7a4f4c322e8c050b4ab5ccbbb8eb8ba87bcc188d67a7cb78a3c6c9a957d6bd1b9f8d9377e43b06ed464408faf3dce95a8a5c585a
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-