General
-
Target
svhost.zip
-
Size
7.0MB
-
Sample
230617-lbrfqsag41
-
MD5
66c4c78001e053a9e28bf2c802d98836
-
SHA1
516b06f28b64b1323cf61511055e9d3541fe302a
-
SHA256
0b57ef8dc404b12987c7071007deb61da13dfa9b082827a513a895056520b7ce
-
SHA512
cbc4b163bf56f5ddb21a9dda584984204ab489adf9261b8f71f6ccc39c51549a3a4e2169d0b19ac5fd1adbc9a7d557732e57e69627a228ab8f6082305e454e23
-
SSDEEP
98304:vB23sWnSm/5eKZa4dhcCWI1zCvZrOQhPZer3hjaADtoKgNY2hRu/5UpmOlTBk6SI:M8kSmHI4sCWI+0SPZahjaADGKgiMfGPu
Behavioral task
behavioral1
Sample
svhost.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
svhost.exe
-
Size
7.0MB
-
MD5
0ae923579d23319a92433cd5078fc8e7
-
SHA1
66960b7c537597615a051d92eaf8c3971f3e53f9
-
SHA256
bf57483379c0df21700ab91b090302d9784f9cfa7bb8486a1e8267256841bd7e
-
SHA512
d4cca5dd9f30f41129f5f27d6be5233bfea3b321c624e30cdd051d445025d1ab4d86bb3de8049ad8b49569d5923950fa76c333dc1bb25c87b79cdc63efac6a18
-
SSDEEP
196608:rbcUG4raKu24YY7HVT4hV0AD6QgqKRgX:5mKr4YYH+EUWpgX
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-