9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175 | Triage

Submit
Reports

Overview

overview

9

Static

static

9a25741d25...75.exe

windows7-x64

8

9a25741d25...75.exe

windows10-2004-x64

9

Sharing

General

Target

9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175
Size

4.4MB
Sample

221125-ldws8sfh94
MD5

7aaacc5834a1b0d4b3d481df06b0aad0
SHA1

cd2db92fcdf5ddd46cb8e58f27f2c8222c0f510b
SHA256

9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175
SHA512

9264334331b439a820180e0f4d5e8edb3c1eb341cfd15b3e879490c546ba2bdade51e064f85b8532b7799533a512b04244d95d7cb07ad990431bba4e6eca53ac
SSDEEP

98304:1bkO1wmyi7s7B7MEYuU/coXBv/Z9S5CBU5QlPyRBRsvojcKoZ2r:1b1FQi5uU/coXFR9S5CBU4PABRsAnr

Score

9^/10

bootkit evasion persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175.exe

Resource

win7-20220812-en

bootkit persistence spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175.exe

Resource

win10v2004-20220812-en

bootkit evasion persistence spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175
- Size
  
  4.4MB
- MD5
  
  7aaacc5834a1b0d4b3d481df06b0aad0
- SHA1
  
  cd2db92fcdf5ddd46cb8e58f27f2c8222c0f510b
- SHA256
  
  9a25741d25ecd7174b7235f5fc3b76ea2f8a27cc2ddf0ddf6d51b0d07470b175
- SHA512
  
  9264334331b439a820180e0f4d5e8edb3c1eb341cfd15b3e879490c546ba2bdade51e064f85b8532b7799533a512b04244d95d7cb07ad990431bba4e6eca53ac
- SSDEEP
  
  98304:1bkO1wmyi7s7B7MEYuU/coXBv/Z9S5CBU5QlPyRBRsvojcKoZ2r:1b1FQi5uU/coXFR9S5CBU4PABRsAnr
Score

9^/10

bootkit persistence spyware stealer evasion trojan
- Nirsoft
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitpersistencespywarestealer

behavioral2

bootkitevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy