Extracted

• • Target

    a9f5e3e4df4ed31cb7fb95068d4c240b.exe

  • Size

    7.8MB

  • MD5

    a9f5e3e4df4ed31cb7fb95068d4c240b

  • SHA1

    f40e523b5fc1703fca65f069baf6cd991a4dcf23

  • SHA256

    03aa67a1cb5896c377e33a6d71feedf90088a823e895b35ee651a159a4dc8316

  • SHA512

    791f17b8f6e60bc86e637697bfefb4694769d6a43882686bd663d64d37f97c1929d54f4c445803662d02e387280d70be6f870025ac74827e074e8658b6e3ec7a

  • SSDEEP

    196608:LIRcbH4jSteTGvDxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuDxwZ6v1CPwDv3uFteg2EeJUO9E

  Score

  9^/10

  upx

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications

    Malware can proxy its traffic through Tor for more anonymity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2