General
-
Target
aaaaaasdsafdfdsafs.zip
-
Size
7.0MB
-
Sample
230617-25hnpadd84
-
MD5
04c7d110dba77b15a7e3dc0cddff94bc
-
SHA1
988b7551dc25ef0983d20a13cbc2fb5cb314aa25
-
SHA256
e747906008c1ca8cec150649b1ec559a68da00ec5210d5f7fb802e1d20c0126e
-
SHA512
44330bb76e0448e2a86eec647ee7e10875fc898066544fa9e0aae7f3352546233dc9a25220f7bfbd7fa1f4bee0ddd4fed4b908abbf969b274b2c0934d68139b9
-
SSDEEP
196608:7ciWmhAI4O6Q0dRJDIh3MADSugmKX+XfQ:9aI76QcReqU8t+XfQ
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
svchost.exe
-
Size
7.0MB
-
MD5
4ba72080b6312d3535a5e0d041fedbb4
-
SHA1
936310ca7566837284a49f7137c7b2a6f902d286
-
SHA256
8dedcbc9e349f81dcf2d342a1f7161508cecf1eb3e792c8febec49f8fdff309d
-
SHA512
6a825a4d9ce7588ef79fdaef4567b7ab8aa5f69e9529e1e2ffed686f55a347c08dccd1450fd4f3e002da2fb23c9e34089c8f5b5b3db0cb9bb3746518028ec64e
-
SSDEEP
98304:PB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:scUG4raKu24YY7HVT4hV0AD6QgqKRgX
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-