General
-
Target
svhost.exe
-
Size
5.2MB
-
Sample
230603-b2d8zsfe8x
-
MD5
8aa2bcc963f412a81961e70ca973d25c
-
SHA1
791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8
-
SHA256
d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84
-
SHA512
da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb
-
SSDEEP
98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY
Behavioral task
behavioral1
Sample
svhost.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
svhost.exe
-
Size
5.2MB
-
MD5
8aa2bcc963f412a81961e70ca973d25c
-
SHA1
791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8
-
SHA256
d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84
-
SHA512
da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb
-
SSDEEP
98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-