General
-
Target
AviraPhantomVPN_pass1234.zip
-
Size
31.7MB
-
Sample
230406-pmd7bseh3w
-
MD5
e7b64a321e28bb793499a3d696331db6
-
SHA1
02640fd006981810215c689508c316188eb48cad
-
SHA256
21eed4ad34b45a105a0d215f2bbd1dac8face384f0f75f621d10a3c4a3fe284f
-
SHA512
d90860a4914035fc2116a8f1c260c58ccfbcf82b3c8012eab9da842ef64d09cbfbb887205b5a76100a33461ce87971e824829111edb43708236e6f8ff655ca6a
-
SSDEEP
786432:M6jVlMlC4wWESx547yBEQJXkE5Qa1z8eXY+Lr:lJ4Jn/x5JKQ9dxXY+Lr
Static task
static1
Behavioral task
behavioral1
Sample
AviraPhantomVPN.7z
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AviraPhantomVPN.7z
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
AviraPhantomVPN.7z
-
Size
28.6MB
-
MD5
edcaee17a820898e1ef4c3f1410d322d
-
SHA1
304a5c511e352ef0115d70b0dccb0f4802393b34
-
SHA256
645ff80fc1abf8919597a792ff5e26fb206f5ad0b5c08bf8a4a365585ca4ece0
-
SHA512
ce8637d4109997b01a43b4df6d6b0c78902533f56b750fb877044884e14497699239d8bd1ae17aee77bda9e5d4f3cfca4a080dc4b03294c109435fbcf302d2af
-
SSDEEP
786432:e6jVlMlC4wWESx547yBEQJXkE5Qa1z8eXY+o:bJ4Jn/x5JKQ9dxXY+o
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-