General
-
Target
https://workupload.com/file/SaZEYKEFmA3
-
Sample
230713-mkbx3shc4x
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://workupload.com/file/SaZEYKEFmA3
Resource
win10v2004-20230703-it
Malware Config
Extracted
vidar
4.7
https://t.me/prescilliouns
https://t.me/prescilliouns
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234
-
profile_id_v2
https://t.me/prescilliouns
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq
Extracted
amadey
3.85
45.9.74.164/b7djSDcPcZ/index.php
Extracted
systembc
5.42.65.67:4298
localhost.exchange:4298
Targets
-
-
Target
https://workupload.com/file/SaZEYKEFmA3
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-