General
-
Target
DiscordSetup.exe
-
Size
6.0MB
-
Sample
221012-kr2e7sdah7
-
MD5
0906bfbcac00c26b080d3ba4f4542579
-
SHA1
eca76f73d94d388b51d3b5f97525ab49fb47f8c6
-
SHA256
5081dcd1a166a86ae2915ffa8e85c0d926699443a232bb9eb1d62ff7b94626d1
-
SHA512
2640ba2765afeef95c753fb0ec9222717fa3e228a93e34e4ff402dc173fc575945da0b35ecc59aa489051c876d77e4c2bf14abf48ac57831ae044d6b9e33a527
-
SSDEEP
98304:TlxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fe:TnV8ld98BlON2jnbNswvBXvowJgzl7Gr
Behavioral task
behavioral1
Sample
DiscordSetup.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
DiscordSetup.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\Users\Admin\desktop\README.txt
emotet.gang@protonmail.com
16Eoi7psqDG1PuXtaodK3bk5bsFR6drnT5
Targets
-
-
Target
DiscordSetup.exe
-
Size
6.0MB
-
MD5
0906bfbcac00c26b080d3ba4f4542579
-
SHA1
eca76f73d94d388b51d3b5f97525ab49fb47f8c6
-
SHA256
5081dcd1a166a86ae2915ffa8e85c0d926699443a232bb9eb1d62ff7b94626d1
-
SHA512
2640ba2765afeef95c753fb0ec9222717fa3e228a93e34e4ff402dc173fc575945da0b35ecc59aa489051c876d77e4c2bf14abf48ac57831ae044d6b9e33a527
-
SSDEEP
98304:TlxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fe:TnV8ld98BlON2jnbNswvBXvowJgzl7Gr
Score10/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-