General
-
Target
Archive_Pass_55555.rar
-
Size
55.6MB
-
Sample
230201-1y5zzacf83
-
MD5
0ad2912978402473b527d69691449ed3
-
SHA1
8cd1cb51b75be1e363cbecba29799b07a4bc5e0c
-
SHA256
2b081f21ae505c656f1b8dd917d96e920cf52caeea47b9989638fcf967a93a19
-
SHA512
4d2aba780307c115bb6f9012375f972a811b367e31e5045e1d53771ce2c6890e0e5ed36c0f7ac0b5d894880117bcea90e08d1cd60f35ac6d7cb6a5e6077f5e14
-
SSDEEP
1572864:V3LaRtc8ud9HsbVWr+6AeNV9mohVtLQfr8H7Q6o:1LaRtc82brH/r5hVte8HS
Malware Config
Targets
-
-
Target
Setup.exe
-
Size
454.6MB
-
MD5
81f44bbbe2488184c7c60f2aec322b6e
-
SHA1
8bf3621afa0c1c36d36bdefdf4a79240150573e2
-
SHA256
1ac3028b9d6f3953b6852654186502dc53bb22517f993b3197fc466503feee31
-
SHA512
172070f564964cc3866deff321c54746a19387134b670d168806de7d05a91b740997f37ea70ca776d0f5e373bbc661fa61c709b856f3bdb0a91668bf1ba1cba5
-
SSDEEP
98304:UnIH47Yss/HWTdDjqgXzxEOzgOCkKbVVe6/8:JI8HwdDegXdh+RVeO8
Score8/10-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
Setup_64bit_beta.exe
-
Size
454.0MB
-
MD5
ef24dcc2534834a19a0fa2292ca07b10
-
SHA1
9a6448f758b33b25dfdb8e43925e34b8e7e571ae
-
SHA256
4b2ddf58d0b3db67af2b0660ac1d23d333a37426658c5304a2b21d059080fd8a
-
SHA512
d2ddb41b7bc2067e98f8c4959d76be293496d37a13c9dccaadee88a35ee50a01f9ca17a7fbffad38db7389b3b9473d6ab842bfb86802b220568d40df1c39dbac
-
SSDEEP
49152:+ibdsDXqUSDOg6mwsoWIhZYIQU+1F6eQ+yPQvkyPGjlFGc7Nj1Rh1mY+AbfCst2L:+Bqk6o1hZdQUvQYJL7NBrbfpt2L
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-