Overview

overview

10

Static

static

7

d2046e7907...ff.exe

windows7-x64

10

d2046e7907...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c0eed8d7cff4a9b56b014b87ef779937.bin

  • Size

    4.8MB

  • Sample

    230505-x4py6aha84

  • MD5

    1b7f23e880ad9a206c6c16b01877026b

  • SHA1

    5535240d03cda839e527e06a7e2589f2d884ef2c

  • SHA256

    8472782c0b68863c2da132eead42f432da578650d6010ea574c632f08c9cf0bc

  • SHA512

    3c05fe95ee19bf978f901d9f42d6bc9c5875098855d703e49f63705a820744f3a52361b4953627e3238bb2e4378fa65c6074c4eaa7edf2073f45525ba157daea

  • SSDEEP

    98304:kfQgHKBca/+JQDlTgeRot3V2ULqU1n74lYtuc1j9zVOP/KnA2X5s:kfQgHEDl0eRDULZEZqjYoRs

Score
10/10
privateloaderdiscoveryevasionloaderspywarestealertrojanvmprotect

Malware Config

Targets

    • Target

      d2046e7907d430c57564fd882814a9786efe8b6fba8d5c0b5090068c3b66c7ff.exe

    • Size

      5.0MB

    • MD5

      c0eed8d7cff4a9b56b014b87ef779937

    • SHA1

      3e3e2c02bedaa92bac010de4e0358e01d6a38438

    • SHA256

      d2046e7907d430c57564fd882814a9786efe8b6fba8d5c0b5090068c3b66c7ff

    • SHA512

      56b0a94bb6ee0eea0ddf81e65449943fb120a531ebd922d9922d6f7fb3d1f1158f0961a586059e1d8c493d21eb8c54bd6bbdf71046946cd89ba9399aac56dfd0

    • SSDEEP

      98304:kUpUQp1iu+I3+gu/aUCl2zjii+CDOpzRVddpyeQENSsLJdNlJPBl/U:Zguh3XKe+iiCVtR5NS0jL/U

    Score
    10/10
    privateloaderloadervmprotectdiscoveryevasionspywarestealertrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks