General
-
Target
2b0487817f8cf2592db53cea34fa30f2db1a06d046759f23f3e72a0dc61034dd.zip
-
Size
6.4MB
-
Sample
230321-qpwptsae52
-
MD5
de6367de7366c344b27bebb396e9fa2f
-
SHA1
29cec8003a215bd4f03abafebbe8f361be1d227b
-
SHA256
96fa4dd669cf50334482ee49bd267bcdc610ed4af7697531e3d4d292c145c665
-
SHA512
c43949ecaa9360b816093f3699b0acd0693da791fbfd430d8055be49e3a4f76822436056f426c02ea21e50cb72e244ca40abe4be62ec0bdb5c7d861e9761c508
-
SSDEEP
98304:KL6sDEM2cVrvuq52h1hLKrlTm3T4BK71RspCJ5jjr76gIkmXn5ycEEwJ5:VQcPhOrtKytC/fOX5RwD
Malware Config
Targets
-
-
Target
2b0487817f8cf2592db53cea34fa30f2db1a06d046759f23f3e72a0dc61034dd.exe
-
Size
6.8MB
-
MD5
7923c53381886a69939a56da10dcaa42
-
SHA1
a9f1879a7784933381548e9b8cf10462c3910693
-
SHA256
2b0487817f8cf2592db53cea34fa30f2db1a06d046759f23f3e72a0dc61034dd
-
SHA512
b701902129a3f067076d2aae6ac5d73c59eb4c843f51f45ad40e0c2103883246b2f0ac4da57368c51ac9dd10f6adcf2d5a78632ee319ca5c47b1d420c9de5d4a
-
SSDEEP
98304:ftyBvUTI3/T/O5JtzAE0A050xf3yhDWbMsnJfdViU7DICtzkcPLC+5HTb/hIekb3:f8JRaXQ2xfaWYsJlVdDIaL9b5fzC/
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-