General

  • Target

    9afbc540aa70a956bca26428a1c059c75d1c84d1a2c6c1a865b103575fa679cf

  • Size

    1.4MB

  • Sample

    221123-m5jhnafh25

  • MD5

    afc697ae4725270873c95fdb1f2d2e0d

  • SHA1

    c34c5fd1fc1fd11716b379c25557c2b9e77d2f38

  • SHA256

    9afbc540aa70a956bca26428a1c059c75d1c84d1a2c6c1a865b103575fa679cf

  • SHA512

    57c7c92ce551edf75fc86cb3e51441c18c83546106bacda93a860cf8d28d87792e8f591590e659eef02660ceb72561855448cc99a8af5b54ff7de2fe6530cabe

  • SSDEEP

    24576:ndgElkKvDyhxmpitSyIN4Vdgu97U17HJICLHmlU3A9MHgDa/:ndDlkK4xXwSbT9M349t2/

Malware Config

Targets

    • Target

      9afbc540aa70a956bca26428a1c059c75d1c84d1a2c6c1a865b103575fa679cf

    • Size

      1.4MB

    • MD5

      afc697ae4725270873c95fdb1f2d2e0d

    • SHA1

      c34c5fd1fc1fd11716b379c25557c2b9e77d2f38

    • SHA256

      9afbc540aa70a956bca26428a1c059c75d1c84d1a2c6c1a865b103575fa679cf

    • SHA512

      57c7c92ce551edf75fc86cb3e51441c18c83546106bacda93a860cf8d28d87792e8f591590e659eef02660ceb72561855448cc99a8af5b54ff7de2fe6530cabe

    • SSDEEP

      24576:ndgElkKvDyhxmpitSyIN4Vdgu97U17HJICLHmlU3A9MHgDa/:ndDlkK4xXwSbT9M349t2/

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks