General
-
Target
90189f8dffe3cbfbb1dc181647b2219b.exe
-
Size
2.3MB
-
Sample
230329-vx5d6ahc26
-
MD5
90189f8dffe3cbfbb1dc181647b2219b
-
SHA1
118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
-
SHA256
9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
-
SHA512
c0f469355304226bf0d3ecb84f877d10da0d35695011d3d1cd7bb3a7d2330ee92f6cdd9eea5d1c75c29a140f45f7a67f3b779db645c71b1272eb9c046d85f96a
-
SSDEEP
24576:SdyOaWSMdZo5NYyyVo6cc0WwZ/ct3mW2ny/v/LtGZsYjot0hq+BMGzHOMJWv+pA+:SdyO++HiqAMe/i/09y/6j
Static task
static1
Behavioral task
behavioral1
Sample
90189f8dffe3cbfbb1dc181647b2219b.exe
Resource
win7-20230220-en
Malware Config
Extracted
cryptbot
http://ivyhur32.top/gate.php
-
payload_url
http://womheq04.top/favism.dat
Targets
-
-
Target
90189f8dffe3cbfbb1dc181647b2219b.exe
-
Size
2.3MB
-
MD5
90189f8dffe3cbfbb1dc181647b2219b
-
SHA1
118060f3ce88ccf0b7d9d1777b5e93948d4b15fd
-
SHA256
9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10
-
SHA512
c0f469355304226bf0d3ecb84f877d10da0d35695011d3d1cd7bb3a7d2330ee92f6cdd9eea5d1c75c29a140f45f7a67f3b779db645c71b1272eb9c046d85f96a
-
SSDEEP
24576:SdyOaWSMdZo5NYyyVo6cc0WwZ/ct3mW2ny/v/LtGZsYjot0hq+BMGzHOMJWv+pA+:SdyO++HiqAMe/i/09y/6j
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-