General
-
Target
BearFlix.exe
-
Size
7.0MB
-
Sample
230414-p48ghabd2y
-
MD5
ea47c348d3c190be65e02d8e27677382
-
SHA1
e7db5e65b8ba03e08383904ba04904f0f937d8dc
-
SHA256
5cd1a4b761863addef4b68ab4e7df6036b6dea41a278013fadedf91e19ddbb56
-
SHA512
86169bcdf49a620d636d2ee62bb17138e57f09680139f263efdaf602da321275d1bd8ef8a5292a527bb29ae698cc692d3ed787febf0a75b0409cecde4e569c82
-
SSDEEP
196608:trkfNWCZtV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:F90jVvBXvoww77rc
Malware Config
Targets
-
-
Target
BearFlix.exe
-
Size
7.0MB
-
MD5
ea47c348d3c190be65e02d8e27677382
-
SHA1
e7db5e65b8ba03e08383904ba04904f0f937d8dc
-
SHA256
5cd1a4b761863addef4b68ab4e7df6036b6dea41a278013fadedf91e19ddbb56
-
SHA512
86169bcdf49a620d636d2ee62bb17138e57f09680139f263efdaf602da321275d1bd8ef8a5292a527bb29ae698cc692d3ed787febf0a75b0409cecde4e569c82
-
SSDEEP
196608:trkfNWCZtV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:F90jVvBXvoww77rc
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-