4ad3d6788079f54e92ba7f36e69524b85904ee21e42c89eed0b2bd4fb64f338f | Triage

Sharing

General

Target

arphaCrashReport.zip
Size

11.0MB
Sample

231014-b7agzscd22
MD5

95dddca73723455b0ce22258ce1ad17d
SHA1

5b47b6aa6050a48990db883f1f6ba7ce5edc89d1
SHA256

4ad3d6788079f54e92ba7f36e69524b85904ee21e42c89eed0b2bd4fb64f338f
SHA512

31e406e2707e01c4c86b2be7e8750dc90913ef48534773d36e47215334116db9c382368a8052a594d45ebc61bf3376103d78e5607b104751e6e83fdb65757d36
SSDEEP

196608:YdD943lLbOz+ZMzsTClf21JyanYYI5R7PZFvigZTNOpWur10jLEbUt9b1uMjq2:YT43lLqzlzs+121JFnYYcLTNmrJbUt9x

Score

9^/10

evasion

Malware Config

Targets

- Target
  
  arphaCrashReport.exe
- Size
  
  206KB
- MD5
  
  8521949e487368f1708d68ffcc581665
- SHA1
  
  a2c753371ba79eb673ff4987d9044af9c7a1b89b
- SHA256
  
  b2ee510d0b5012487dee143b459e4e2fcfb758960d3fe7ec4743552bc91be9e2
- SHA512
  
  7722abb534f11dc71ac0797d881eb5c2dee524e19d99c219697efa1037164d92a23a5f098f76e5471f1bcfbcb05b44c497ba85f724267cb70591a448af4358ba
- SSDEEP
  
  6144:UJgVV8K6VGrE8y3CtcKn6yv8zRkDVn5iJg:SGQ8y3CtcoRv6i
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  arphadump.dll
- Size
  
  10.4MB
- MD5
  
  057381c48055743f1826fd6ec098b464
- SHA1
  
  9c09a534c22863a73f0544ca6039fdf80e6ddfb8
- SHA256
  
  ecb680f6088157193ec5d16246d31669e7153da94fd3ee4273cdac7c9cdcac7b
- SHA512
  
  c1123a35155e56ace597af97e67aab3b3a8713e026801f82171e6d32b1c6b64d6b44395d069c0031e9695da557e4c44ec1dc081ed42ec17563cb7f834f944297
- SSDEEP
  
  196608:JLPRePJLb2hsDkLsZadle1NEoH+5TNuJKoE0+vDfqMR8xK:JFePJLKhPLsMDe1NxH+5T+e5
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4