General
-
Target
anydesk.zip
-
Size
1KB
-
Sample
221130-vrp3aaaa23
-
MD5
9ef660e9201d3173da6a8dbcd411d246
-
SHA1
8430d56596e40196ffba30d3efb8ce66db24663d
-
SHA256
28cf80111581dd0915db20b2f446827507e4015149157bf869c8b7d9e82e18b9
-
SHA512
45b7a4e1824a1763392d7ccb35f6be0ace6e73c9554e11076e5c388ad4e80bd578e37a0a10e505d31dec93545442a541e38b3447fd098e24f6ba7bf9d14858b0
Static task
static1
Behavioral task
behavioral1
Sample
anydesk.exe.lnk
Resource
win7-20220901-en
Malware Config
Extracted
https://zupermann.com/s/as.hta
Targets
-
-
Target
anydesk.exe.lnk
-
Size
1KB
-
MD5
69efba8911a9f53798360f03b92f2226
-
SHA1
2da3aa791c3683ba2a7d42e7b5cf2504a5a19518
-
SHA256
0c92738f0f59039085bb50f833a7a228fe217b01b53257db5b43f3f146400859
-
SHA512
9baab4dce364377d9263d88b7cf948230e9cb633b61bcd62b2355840cd5ffe4cb86c6afb6eead0ce121d8be1c0c95c22d1ae18543368f479272de29e90fc44d5
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-