General
-
Target
Vape_v4.08.rar
-
Size
16.0MB
-
Sample
220629-tgr88aahak
-
MD5
fb2573ff736f5ba0c5d15ef95c691537
-
SHA1
c84057855487a7f7459ff9508e9e78d197f9b82b
-
SHA256
52635463d833711ea1cd1c5db3cd22407fa5c45b74327cde14bde9bb9aa54754
-
SHA512
fb4128cafb4c66763d7cda2d206510352a259e8d89b6d59907b586bbb85868341dd75e9881dd1e1f1702bb7c27d70db9a4355ca5602a1e79a792b3a237ccaa91
Static task
static1
Behavioral task
behavioral1
Sample
Vape_v4.08/Vape_v4.08/Kangaroo Patcher.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Vape_v4.08/Vape_v4.08/Kangaroo Patcher.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Vape_v4.08/Vape_v4.08/Vape_v4.08.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Vape_v4.08/Vape_v4.08/Vape_v4.08.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Vape_v4.08/dumper/mitm_server.py
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Vape_v4.08/dumper/mitm_server.py
Resource
win10v2004-20220414-en
Malware Config
Targets
-
-
Target
Vape_v4.08/Vape_v4.08/Kangaroo Patcher.exe
-
Size
4.6MB
-
MD5
55ea9286646485b9216e301dcfb7d67e
-
SHA1
64c7c3b31299a107af75de929b34eea1b4c119bd
-
SHA256
5db970f480efa49e46dbb809996e7b17e7860895190dc12f08d0950333757a50
-
SHA512
3504df32bc188f5cc8fde35f50f9da84beb9c8088d748f401a6484ad16e5f00e3b75613f8ad366b0122a055b92b25df543a6a5534a1822450022361e31073f03
-
Modifies security service
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Vape_v4.08/Vape_v4.08/Vape_v4.08.exe
-
Size
7.6MB
-
MD5
7407fd99ee1940051b4f543656ea9b0a
-
SHA1
7149b25db501b75111ac77fe4bcfe6915058757a
-
SHA256
bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd
-
SHA512
804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Vape_v4.08/dumper/mitm_server.py
-
Size
4KB
-
MD5
fb2ea3294517bab463df4273e7c6bcd6
-
SHA1
1a5eb75bff26c1d8a8cfefa57a8ea7fe366b7546
-
SHA256
bc130c050da31bc55f7d6aa1c7a7e0817f289fa0eaf72ffa253cbaa10c45aff7
-
SHA512
ef56b9000dca93f34a5badb94299f27cd0cca267decf9c99b60dfe7b60d5df748900da7a422882a80f0a26a552bcb0588298096aa56d80c2026e190da862dfa7
Score3/10 -