c70a09aa15fb87f998f6dcbafe881eb7f0af3d07b08729ad584a802542994ccd | Triage

Submit
Reports

Overview

overview

Static

static

1

avast_free...ne.exe

windows7-x64

8

avast_free...ne.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

avast_free_antivirus_setup_online.exe
Size

256KB
Sample

230203-tp31pabe7z
MD5

2c0e37a5445b4b035f1b0cca50e7d60f
SHA1

9819510b7d8bc6eb9c70f26aeb4063413513575b
SHA256

c70a09aa15fb87f998f6dcbafe881eb7f0af3d07b08729ad584a802542994ccd
SHA512

e2cbf892b509bab0e56385c80bbd011a9d892af42de5b192cc91d31b9d50bd8ab67aba5e9c88b57bb6c467da4421435e9b5392bdfc2f8a5d30244f0cfa7eb3cc
SSDEEP

6144:oCfHrZae3GFqRQcMeh4WpywpjchNCPnoeb:oCfLZadcM24fRN3e

Score

10^/10

bootkit discovery evasion persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

avast_free_antivirus_setup_online.exe

Resource

win7-20220812-en

bootkit persistence

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

avast_free_antivirus_setup_online.exe

Resource

win10v2004-20220812-en

bootkit discovery evasion persistence spyware stealer trojan

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Targets

- Target
  
  avast_free_antivirus_setup_online.exe
- Size
  
  256KB
- MD5
  
  2c0e37a5445b4b035f1b0cca50e7d60f
- SHA1
  
  9819510b7d8bc6eb9c70f26aeb4063413513575b
- SHA256
  
  c70a09aa15fb87f998f6dcbafe881eb7f0af3d07b08729ad584a802542994ccd
- SHA512
  
  e2cbf892b509bab0e56385c80bbd011a9d892af42de5b192cc91d31b9d50bd8ab67aba5e9c88b57bb6c467da4421435e9b5392bdfc2f8a5d30244f0cfa7eb3cc
- SSDEEP
  
  6144:oCfHrZae3GFqRQcMeh4WpywpjchNCPnoeb:oCfLZadcM24fRN3e
Score

10^/10

bootkit persistence discovery evasion spyware stealer trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

Security Software Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitpersistence

behavioral2

bootkitdiscoveryevasionpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy