General
-
Target
Ninite 7Zip Everything FileZilla Firefox Glary Installer.exe
-
Size
415KB
-
Sample
230324-rl67tseh39
-
MD5
70eaf7cf298ec91e660094e15396630a
-
SHA1
03cd3f58f8fd04dc8df3f061c06cb2e60f9a8793
-
SHA256
c586ba7a49aacf1ce0651d8ae6a110fa1f71cc762790e7b9322f5b5aa1f7cdd5
-
SHA512
2e7d0f0600d91429d35c905cb57f97bd3445257e2417ab47e8106f5411b83d9139e73dd4715b26c1239d82388c768b55a933dd4a22907daed5bf61a6a262e773
-
SSDEEP
6144:ehuGbXZA2zNMPMPwVtiN44zAi5NAOig3TBrCZMszqLi7ksvmacmWnZTe:CuypA2hESwGRwg3TBPi7BvmZmwZi
Static task
static1
Behavioral task
behavioral1
Sample
Ninite 7Zip Everything FileZilla Firefox Glary Installer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Ninite 7Zip Everything FileZilla Firefox Glary Installer.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
Ninite 7Zip Everything FileZilla Firefox Glary Installer.exe
-
Size
415KB
-
MD5
70eaf7cf298ec91e660094e15396630a
-
SHA1
03cd3f58f8fd04dc8df3f061c06cb2e60f9a8793
-
SHA256
c586ba7a49aacf1ce0651d8ae6a110fa1f71cc762790e7b9322f5b5aa1f7cdd5
-
SHA512
2e7d0f0600d91429d35c905cb57f97bd3445257e2417ab47e8106f5411b83d9139e73dd4715b26c1239d82388c768b55a933dd4a22907daed5bf61a6a262e773
-
SSDEEP
6144:ehuGbXZA2zNMPMPwVtiN44zAi5NAOig3TBrCZMszqLi7ksvmacmWnZTe:CuypA2hESwGRwg3TBPi7BvmZmwZi
-
Bazar/Team9 Loader payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-