52635463d833711ea1cd1c5db3cd22407fa5c45b74327cde14bde9bb9aa54754

General

Target

Vape_v4.08.rar
Size

16.0MB
Sample

220629-tgr88aahak
MD5

fb2573ff736f5ba0c5d15ef95c691537
SHA1

c84057855487a7f7459ff9508e9e78d197f9b82b
SHA256

52635463d833711ea1cd1c5db3cd22407fa5c45b74327cde14bde9bb9aa54754
SHA512

fb4128cafb4c66763d7cda2d206510352a259e8d89b6d59907b586bbb85868341dd75e9881dd1e1f1702bb7c27d70db9a4355ca5602a1e79a792b3a237ccaa91

Score

10^/10

Malware Config

Targets

- Target
  
  Vape_v4.08/Vape_v4.08/Kangaroo Patcher.exe
- Size
  
  4.6MB
- MD5
  
  55ea9286646485b9216e301dcfb7d67e
- SHA1
  
  64c7c3b31299a107af75de929b34eea1b4c119bd
- SHA256
  
  5db970f480efa49e46dbb809996e7b17e7860895190dc12f08d0950333757a50
- SHA512
  
  3504df32bc188f5cc8fde35f50f9da84beb9c8088d748f401a6484ad16e5f00e3b75613f8ad366b0122a055b92b25df543a6a5534a1822450022361e31073f03
Score

10^/10

evasion spyware stealer trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  Vape_v4.08/Vape_v4.08/Vape_v4.08.exe
- Size
  
  7.6MB
- MD5
  
  7407fd99ee1940051b4f543656ea9b0a
- SHA1
  
  7149b25db501b75111ac77fe4bcfe6915058757a
- SHA256
  
  bef628b23396d36849beac1bf633859d02f82ae9dc877281862b7e9e85148ecd
- SHA512
  
  804a257e128f54d5febaca7424f308403e092f773119075270b89d8721e9cc91e3b7adc402ad9a9fbb252b5af250745d2f6a34f523f30b1f08c212aea0e5b75d
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Vape_v4.08/dumper/mitm_server.py
- Size
  
  4KB
- MD5
  
  fb2ea3294517bab463df4273e7c6bcd6
- SHA1
  
  1a5eb75bff26c1d8a8cfefa57a8ea7fe366b7546
- SHA256
  
  bc130c050da31bc55f7d6aa1c7a7e0817f289fa0eaf72ffa253cbaa10c45aff7
- SHA512
  
  ef56b9000dca93f34a5badb94299f27cd0cca267decf9c99b60dfe7b60d5df748900da7a422882a80f0a26a552bcb0588298096aa56d80c2026e190da862dfa7
Score

3^/10
behavioral5 behavioral6