General
-
Target
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83
-
Size
1.5MB
-
Sample
221126-n7w27scb35
-
MD5
876454cb19e951b6af7055337bfa0ec2
-
SHA1
bcf59cd759187283f6929c740bfec43458c215b6
-
SHA256
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83
-
SHA512
253ab1bf8524b64d4427a21793137fd0a68fc56a74239590da4bbf7b271c7fbb1aac71616743acf29f55542753dc1a05f31dda5e56d9af4ba49da133265a83d1
-
SSDEEP
24576:6kC9Gv9ZgS1BU6WLPICFFcjD+fUtRYWJVxbQzNCpEFU0HkA6cC7y4NWmXd57vIWg:6PPS1fhrtHoTtvev7QWg
Behavioral task
behavioral1
Sample
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe
Resource
win7-20220812-en
Malware Config
Extracted
Protocol: ftp- Host:
www12.subdomain.com - Port:
21 - Username:
user1577439 - Password:
jetaimeradouane
Targets
-
-
Target
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83
-
Size
1.5MB
-
MD5
876454cb19e951b6af7055337bfa0ec2
-
SHA1
bcf59cd759187283f6929c740bfec43458c215b6
-
SHA256
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83
-
SHA512
253ab1bf8524b64d4427a21793137fd0a68fc56a74239590da4bbf7b271c7fbb1aac71616743acf29f55542753dc1a05f31dda5e56d9af4ba49da133265a83d1
-
SSDEEP
24576:6kC9Gv9ZgS1BU6WLPICFFcjD+fUtRYWJVxbQzNCpEFU0HkA6cC7y4NWmXd57vIWg:6PPS1fhrtHoTtvev7QWg
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-