ffe2a83d37b7b5657de5c2c2d3fc3db3f4703a0b1a19a9964226eba696040b09

Sharing

Copy URL

Twitter E-mail

General

Target

ffe2a83d37b7b5657de5c2c2d3fc3db3f4703a0b1a19a9964226eba696040b09
Size

16.3MB
Sample

221126-wmhyvadb35
MD5

e4a268ee35592e3c3c206f019f1ddffe
SHA1

e06f4f4df8675cc91b5eca9cb3ca495b0d31e619
SHA256

ffe2a83d37b7b5657de5c2c2d3fc3db3f4703a0b1a19a9964226eba696040b09
SHA512

ce2af0e951abdc598bab2e1f8a5927ff51161dbe8af4999ce09915c2b457b534367e2aa59bd3506f1ec7d0f1772ec387b79c578f2ffd1dbe830d0d944e0fd5c3
SSDEEP

393216:gORTLIBzreOjni7LFLa3otp5jLPd080bQ65wmDk5NIUT4:pFye1Lxa3kbjLFNCQqowUT4

Score

8^/10

Malware Config

Targets

- Target
  
  1433_hack44.cn/12-18/Gh0st.exe
- Size
  
  2.6MB
- MD5
  
  2c691584a50ac8cdfc05f2fb54440a1d
- SHA1
  
  baf0ea2cc4f40e50c22103555467b397c01ef2b1
- SHA256
  
  9d6f5d85e3563556b1e96191e536807d9973b6210b4893f14eaefdb90425a212
- SHA512
  
  287f652ee5066f641c18b6db342e0c768ee209fdcb7a0e23885ec762a7559ecd35db511e421128e6e06317989f7c6469302e412056f328d021d3b11f53e1372b
- SSDEEP
  
  49152:q0hYlq/48tcZUhOhEwj26ntNqn3njurXHMYVTuVbX59ku:q0h+q2Ghg3wn3jur7VKd5t
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  1433_hack44.cn/12-18/MD5修改器.exe
- Size
  
  772KB
- MD5
  
  0f2afa364b5e02702107f085571e3567
- SHA1
  
  e00113a6ecca4731a3b762cd81f66c3376f71be4
- SHA256
  
  0175b727c7e2eb62461878ce3788616b1cefcfd44f61559924fd6ddbd48c1ec0
- SHA512
  
  b03bb984fc80499f07499417d915ddb95bbd28616f49915401435e7b7e1518b1868659c28abbe7cac24cc10e80c1b2883be5343c5fbd4c2e2b6a596f35ae1be1
- SSDEEP
  
  24576:69OAfvjaPIxCHjvnpoAbrK2wz4A94Has:causvnpfOiA94Ha
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral3 behavioral4
- Target
  
  1433_hack44.cn/12-18/update/Server.dat
- Size
  
  421KB
- MD5
  
  f869fd0cd6f3efe23dfcc2abd30ef0da
- SHA1
  
  a09e55e7fa9132d99bc7e46682f11439f935bbfc
- SHA256
  
  09ed4dd4f3a7ce776e4dc49e61d49fcb1120b80ce661b9f8b7f9a4418e89b9cf
- SHA512
  
  511237379ac4184118f34febb020fed3075bf137909d3d133d3e886bf2793a1217b1b6dd7afe31c1fb7154f5fbdcbd8c5a4a6764970712a55547958085fb4d25
- SSDEEP
  
  6144:eMxbU4fq+VszKSNY2t9f/VrhgdE9f/VrhgdE9f/VrhgdlG5zK2:xxbU+sW7+F9lCEF9lCEF9lC6+2
Score

1^/10
behavioral5 behavioral6
- Target
  
  1433_hack44.cn/12-18/update/look me.swf
- Size
  
  20KB
- MD5
  
  943701d120af02e283ad4d1a803a5291
- SHA1
  
  74becdabd083e643eb7ca399a7763a72f7e721ab
- SHA256
  
  fceffef2c269f67efcafd0bc30924e00dcd3f1050e343045e68479fae30e2d58
- SHA512
  
  0fe026a113d2f50d54d865370ec0ee5de92b5aaf979d778435c3d1c581417705e0e40f870630088e315d8ac5fb8acadfa9e0ffe73e5a3a23d9e6c6153ea5d304
- SSDEEP
  
  384:S2nlNHRAyrWCAjhUBuCuL3/T3bxSaXorif94QmwiR/F03fTMBdjXk8y5:5fHRAyrWCAjh2uD739pE0mwiR/FkfTsy
Score

3^/10
behavioral7 behavioral8
- Target
  
  1433_hack44.cn/12-18/update/skin.url
- Size
  
  346B
- MD5
  
  8b3a3d200c3def8b566b9258e0524179
- SHA1
  
  59a49b1525f017e58275c47d26768d2dd51acaff
- SHA256
  
  806dcb6e36ced7feb8d9fa0e00a6ebc8004d0205263b6408e2a54e71e99238d2
- SHA512
  
  c1b3931cd11eed5c9292b5727252dd9cfe400f769d9882ee0fc73976a192df04cf9daa9a5d706450f83bfa02345a0cd830a35250336542650a101788704e82f8
Score

7^/10

evasion trojan
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks whether UAC is enabled
  evasion trojan
behavioral10 behavioral9
- Target
  
  1433_hack44.cn/12-18/update/使用方法.url
- Size
  
  347B
- MD5
  
  1dbb52abd11c445da035cbe90e084758
- SHA1
  
  e7294249bed7397bfe77ebd2dcb2345808480f67
- SHA256
  
  0946284aecbd30fd75021ad0f386a7c2e95bc6b626a7768372cb40358a63ada3
- SHA512
  
  26e67274d518b8ce1b29a93f6daa803a50d8cbb7617683b61a645c1d6adb515bfe6c820810d9022cfbe6aec30cd92b55bc418d17623ded203bce05849e9c4f41
Score

1^/10
behavioral11 behavioral12
- Target
  
  1433_hack44.cn/12-18/update/华中帝国收集整理.url
- Size
  
  367B
- MD5
  
  58a78caf11eabb979f934a0bd956fb4e
- SHA1
  
  337cd6b20d93948135a5bca2d27d550b2021e526
- SHA256
  
  410aeaa94c396516454358c1d06962c4adbaa0dd8871f762128d4fa6c99173f6
- SHA512
  
  e022b92acc613a5d2aa0433a8fb36d21c7c86deae426e8ef5155f9934add2444089721cb86691fbb006ef67509b0f400a04d61f8f1558cbee77e98823bcce7ae
Score

1^/10
behavioral13 behavioral14
- Target
  
  1433_hack44.cn/FTP2013.exe
- Size
  
  270KB
- MD5
  
  b195639118d071940cb499bb9a8a0648
- SHA1
  
  8888ab438cf48c323d4c10a93d2c1c17e5a6c715
- SHA256
  
  29a66fc45fc4590d3f7c40414c858e6a739e7b27d2180368cf54f80f315d514d
- SHA512
  
  caec8f36baec8f42d702094c6b3a0cacb39bcb98f7750275daea37d4f9e5cb9f34154a793553850329243ea4f47fd18de867b829a2a0a1210a0d35997aed2e89
- SSDEEP
  
  6144:+8kobAQG+/elBBGPVa5SpvAddZU4ab9SD2ZWL8u7yErPm7:+8kobAo/iBBm9pvAddZhab9SDPLr3Pm
Score

1^/10
behavioral15 behavioral16
- Target
  
  1433_hack44.cn/NB12-18/2014.dat
- Size
  
  85KB
- MD5
  
  c95608e019e95c323e8fa44c02132da1
- SHA1
  
  24cbd02776b01402ebbf78ff4e24651563ce3481
- SHA256
  
  5fd2bbb22dcb332572f67f469a3899acc8cc23c8019248846a125e1d22cda696
- SHA512
  
  cf064bf90ae1f118fb6fb7a12ed17ac88a14fb413e6ee56a3828eefc219ca33413de013981e1bbd2ebd72c4b621ab7de4a506157454963dece84cb825a992026
- SSDEEP
  
  768:qUaLYJ20gAaUvhhCySKiEYEEUJSWIG6FnToIf1GOhjaTkXrNObCtXsPNttbsB8G3:ULYQR8biHEEUDcFnToIfky/rNIPNng3
Score

1^/10
behavioral17 behavioral18
- Target
  
  1433_hack44.cn/NB12-18/MD5修改器.exe
- Size
  
  772KB
- MD5
  
  0f2afa364b5e02702107f085571e3567
- SHA1
  
  e00113a6ecca4731a3b762cd81f66c3376f71be4
- SHA256
  
  0175b727c7e2eb62461878ce3788616b1cefcfd44f61559924fd6ddbd48c1ec0
- SHA512
  
  b03bb984fc80499f07499417d915ddb95bbd28616f49915401435e7b7e1518b1868659c28abbe7cac24cc10e80c1b2883be5343c5fbd4c2e2b6a596f35ae1be1
- SSDEEP
  
  24576:69OAfvjaPIxCHjvnpoAbrK2wz4A94Has:causvnpfOiA94Ha
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral19 behavioral20
- Target
  
  1433_hack44.cn/NB12-18/NetBot5.5.exe
- Size
  
  544KB
- MD5
  
  6379c36c3bb6e0c758a73251ab663810
- SHA1
  
  8bf4731742a1f74914b06706f851d4854172fc92
- SHA256
  
  4ba463bf00edf0327909d1b5e9f7e6b193f907716dff57fc3f7330249dcc116d
- SHA512
  
  379a5c7b563105fdcd71761ba61093fb788b961a1e3d9d6956f35c199dc11bf9d6fe42a3cfde65552f5eab8f884af797611d081f475eccb8f7b95b3299aaca17
- SSDEEP
  
  12288:N+ZF8GCbzHgpjzbgepgC5O6hxZo57oDPzVy3vJaZV:YyfgRjp35O2xqC83vcL
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  1433_hack44.cn/NB12-18/SkinH.dll
- Size
  
  668KB
- MD5
  
  e8409d674111dff5cd94f0deebddc20b
- SHA1
  
  97c413f4154a01ef6fe19154ea677ea90097ef32
- SHA256
  
  9c15c24cea93b4c9830039d147203bb4ea0a19ac67248860e86d54e76d59b3d8
- SHA512
  
  8695870bafc701292fa13786449ac2afc738f6b791d0c26b5013d0984a62a31dd4440ed0896a639d6c1f853973f7f0dd1fed5df47fd718b12e2c0aaf6c9dd404
- SSDEEP
  
  12288:O4I+LDa4ekPTXYUZWtZaf9iDvK/5N9e4IRPpb5yxGO6hg6A5e3:OuDJVTXYUYtEVimng4IRPpw9je
Score

8^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23 behavioral24
- Target
  
  1433_hack44.cn/NB12-18/免杀审核.exe
- Size
  
  55.6MB
- MD5
  
  96780cd3d5fd3ad5d8412a1106f544d6
- SHA1
  
  12fa95f4c4cc748ecbec576d42a8fc8454ea05e0
- SHA256
  
  623f204bd680f64a327303e2073a0acd06930f05844c626157a8c80efa1626b2
- SHA512
  
  1d497a3e033dc971355e397cf777459b1d6314ed635b35d3a3d13d1eb2b9141d8c61638a9558b7d755d07037ff7bfa3f3845fb2215a61eb85b340825eedce61f
- SSDEEP
  
  196608:0WfVt+KiLIj0EyVEU+p20svplcl+cxomxFs25pZMMd7P/Keh7RA:iEFpKGrrp/KeTA
Score

1^/10
behavioral25 behavioral26
- Target
  
  1433_hack44.cn/hfs2_3b285/hfs.exe
- Size
  
  848KB
- MD5
  
  ab10437956af910c98764dfd9eec222e
- SHA1
  
  617542edf2abf40ee2e5a9cb3c3ccdc9face216f
- SHA256
  
  48d1e2f9786c379b6a67d04184d4bd43232656d368dd7eecfc3380d239dad4e6
- SHA512
  
  31a98f6bc0d34839ea542b18bf77a14858d176dedd2135288a401baf0933fb3f7fcfe6c5a95b5c990de630e03eca922fa6e2285dddb309fb5d5e0cfa0602311c
- SSDEEP
  
  24576:QBVHbzzj4tLvPoz1rZe/IkAzEcur9tVXJ6Dc:QBVDj4t7oJrYE4cu/bmc
Score

6^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral27 behavioral28
- Target
  
  1433_hack44.cn/乌龙寺1433/FTPHEX/Hex.hta
- Size
  
  1KB
- MD5
  
  9e75fffb2565b61a05a32500f4c90d8a
- SHA1
  
  809ace13627f67b5a6918cd325ab9e098e4d9f41
- SHA256
  
  310430203f54936fa16ea8f628f221cf791c114da5c1acc6214314140bf99d45
- SHA512
  
  a2d82403bd574f98039419a1bd9b2c060139120d305548c581fdc36907c260dc8ebdadd40124bf596308836c82c92004e0fa83a1fc4c86a146eb372a0f1ceed8
Score

1^/10
behavioral29 behavioral30
- Target
  
  1433_hack44.cn/乌龙寺1433/FTPHEX/KSD.dll
- Size
  
  145KB
- MD5
  
  91a7afd5867df33ded475cb3b9d98a84
- SHA1
  
  3eba9d8a18c70119fc1cadcd7480155ab2239950
- SHA256
  
  81224f8f9450e3bf4370f8fdf6dccaae79d1b86f7cf74f2a7204e2f3ecb82491
- SHA512
  
  cb87bc7c495d4242e67b71210d48b454b31d21455478d96c95cac13c5113b53bed699ffaedc2ecf52168837171979f830b7d5cfa6598ee341e6114ff138840ea
- SSDEEP
  
  3072:5PQpbKAIiuB+ZLtHC5q/nsLkce2gpoZskMX2jGCPGd2RDI8p:5PhImEUgek2jGCeAh
Score

3^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Unexpected DNS network traffic destination

Checks whether UAC is enabled

VMProtect packed file

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

UPX packed file

Unexpected DNS network traffic destination

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32