General
-
Target
86a4cdd8a4ce24624f28de4d77283dbb.exe
-
Size
795KB
-
Sample
230314-jzeezaec63
-
MD5
86a4cdd8a4ce24624f28de4d77283dbb
-
SHA1
c363e391e8a6db6b69444de2a7f1ba22f7f78eba
-
SHA256
bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a
-
SHA512
cd6d53a7e1564117ef8c9cc277bbb3ece668b211fbabef00192ccbbd916dfec9225fcf498248347b048957b123cfc0332e059aedf84d6f945411c8eed29f10db
-
SSDEEP
12288:RQMHUQ8/KyJa1XNrW1kQZTTU2pJrt0EeUOf9ngj6pGJ4iHfQG+HHIisH:KMHGyZJWDZTIMJWEeUe9nVi/b+HoBH
Static task
static1
Behavioral task
behavioral1
Sample
86a4cdd8a4ce24624f28de4d77283dbb.exe
Resource
win7-20230220-en
Malware Config
Extracted
cryptbot
http://ernlen22.top/gate.php
-
payload_url
http://ovalim02.top/magpie.dat
Targets
-
-
Target
86a4cdd8a4ce24624f28de4d77283dbb.exe
-
Size
795KB
-
MD5
86a4cdd8a4ce24624f28de4d77283dbb
-
SHA1
c363e391e8a6db6b69444de2a7f1ba22f7f78eba
-
SHA256
bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a
-
SHA512
cd6d53a7e1564117ef8c9cc277bbb3ece668b211fbabef00192ccbbd916dfec9225fcf498248347b048957b123cfc0332e059aedf84d6f945411c8eed29f10db
-
SSDEEP
12288:RQMHUQ8/KyJa1XNrW1kQZTTU2pJrt0EeUOf9ngj6pGJ4iHfQG+HHIisH:KMHGyZJWDZTIMJWEeUe9nVi/b+HoBH
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-