General
-
Target
svchost.exe
-
Size
7.0MB
-
Sample
230618-fex5ssdh24
-
MD5
9c8971a999bec1e4a602f6ad8295b207
-
SHA1
c358b621a6402c3a3a184c9bbdedf6c3f4f8f088
-
SHA256
74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206
-
SHA512
051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb
-
SSDEEP
98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
svchost.exe
-
Size
7.0MB
-
MD5
9c8971a999bec1e4a602f6ad8295b207
-
SHA1
c358b621a6402c3a3a184c9bbdedf6c3f4f8f088
-
SHA256
74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206
-
SHA512
051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb
-
SSDEEP
98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-