General
-
Target
Open_with_Pass_1234.rar
-
Size
6.0MB
-
Sample
220708-hhtmwsdffl
-
MD5
43c600be3be59b952884896bcb436137
-
SHA1
46aedea28061f1f70006631ec1623bf1c4a1e0f2
-
SHA256
ac213f59b8e531996dd838fa8b00ee83d06f6f9651282b5a21ed534fe956706e
-
SHA512
05f1015252d14cf0881467b2d63fc7302ea0c97d7606b6f6267acd8d10775bf5b0c1474c053bb8cada4495cb4005c9abbba95304c7c8aeb894d042cf38000a1a
Static task
static1
Malware Config
Targets
-
-
Target
Setup.exe
-
Size
392.0MB
-
MD5
86a7afbd5dd056e989c5f2d54a83dec0
-
SHA1
81f4b5f2c3d53559d2788c3235006d693b40a090
-
SHA256
f7227fd311224935d11cbfd8c08a9c81c77c368286e39e9344778db1ecae50d4
-
SHA512
c75076a8e385d03bc6c1042f2972bbe96c063e61a5b8f33a87657890c07000ee8f81f20ed92bcd74293c02a3a1af09ce55d2852bc4f7fd0d61cc47c2fc3ac8e8
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-