netfilter | 94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

Sharing

Copy URL

Twitter E-mail

General

Target

daa4a303815b2f4b3383ae4e9cb9d70b.bin
Size

99.1MB
Sample

231108-dsa63scg3y
MD5

daa4a303815b2f4b3383ae4e9cb9d70b
SHA1

71ad3c455f33dff881e05816d87f43e48b6a5084
SHA256

94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24
SHA512

7c2fd76a9fc12382df8abb3ad459dc962ffe07ff03fd4801eb6a68e0802df9b5a1136fec3d421ffcfb387033ea9de3d302a878f1a901257be03f6271574557fa
SSDEEP

1572864:Hz9VYu6kNhSQlSkdCUZdoinM59VVzg4dPC7v9A17V3nBDlxn3hqzLpPr:TQk/HHnMHkHBA17lnTqpPr

Score

10^/10

Malware Config

Targets

- Target
  
  Bootkits/5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a.exe
- Size
  
  36KB
- MD5
  
  2025cc89204d851a57c02a9fd441b619
- SHA1
  
  7f501aeb51ce3232a979ccf0e11278346f746d1f
- SHA256
  
  5ef62c780d7c9f82dea098972f66d5b3367841913444933cdb779adaecd06d1a
- SHA512
  
  81a38b84c62656640ebee1eb6c6bb9945a8f71c80350c127e0e22e0509b7b2b33e95d7b829f2a784cd7f19cfb27373afd0885ee30c549c5179f711c43eb27779
- SSDEEP
  
  768:p6bG9YETo/grz+5F3FfEYUSdl0bwtY9YLkjW2xQ1MwhFbGdtFm:kbG9YezkMv0W5mwjWuQ1xFbyPm
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  Bootkits/6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286.exe
- Size
  
  83KB
- MD5
  
  64e1aa6f5dca669ba51678157058d54b
- SHA1
  
  9f6df0a011748160b0c18fb2b44ebe9fa9d517e9
- SHA256
  
  6b0cd074a6c556f4d1fe0088c15160eb13f847974c4307f9eeeea4dc33d49286
- SHA512
  
  91f5cc1aba9b26a16e7b9e082c2982f71fe9996be9072f0252a2864894904fec57b65b6d1dae98274df2fe3e4ab4626364040e16802fa5ccf152b71228b54c0d
- SSDEEP
  
  1536:esDWvcIU3ayXD1D12E5G9JR0+iGxxUWfdOzq3bdPOoH6LBqtgkdd+4MxUAsKliwZ:WeayXIJR0hGvTfMwfaLBViYUAzF
Score

7^/10

bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3 behavioral4
- Target
  
  Bootkits/8dcc573293ae9a545655a47e23f106738a190f5318c31124bd3a73b12f128df6.msi
- Size
  
  433KB
- MD5
  
  c73606235b64566e6cbc67b9f608b4f8
- SHA1
  
  880256847cad1443b2865b27fad053667a30af21
- SHA256
  
  8dcc573293ae9a545655a47e23f106738a190f5318c31124bd3a73b12f128df6
- SHA512
  
  0c068c74fc4cf284652f014fd2a89bda64d2013a33501b715709bb5edd79ccc8d6ff79e91562be1c46bf89a7176aaf15dd4bf12fc6101d23b584d34a2a6b0d5e
- SSDEEP
  
  3072:943ygYXkj7q0vTYDryOjnpU6ij4qpXqnnDibAJBVk6YYA69Z3D3NPT+7qSS:945iLTqp4nwEzYYA83D3NPT+7
Score

7^/10

persistence
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6
- Target
  
  Bootkits/f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1.exe
- Size
  
  57KB
- MD5
  
  cd51f54c69fdc0253f8db0f98a574dbe
- SHA1
  
  ee5f3daa03e34cf4d44c7f56afee44bb0705d32c
- SHA256
  
  f428b4d0673ae67472fbe212086e70eeb5b6876e80a74b59ff8ba3e6def5e9b1
- SHA512
  
  c08d93eb006efee24ea8c54fa55d184bb0caff9ee9b3ef3171744ec97730ace3a6a39bce51f173ded218fd313e147d285b4fa390118f8f28f37887761903936e
- SSDEEP
  
  768:sUKF67a9wsT4KJjjO4xbr+3z9KMwwaETFQN7J+9OdstfXFVDgkyIIL7HLdJ:X/7a9ws/OO23zFTKshBjck+/
Score

7^/10
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral7 behavioral8
- Target
  
  Rootkits/03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7.exe
- Size
  
  3.2MB
- MD5
  
  c153ea773bdeac9036f76079deded7a7
- SHA1
  
  41c2eb564be710797a24c0e519c1de1b293f3eb5
- SHA256
  
  03e903602037420acf4d1bc5084923c59385c5594f3a2de6fcf320bd4746d6c7
- SHA512
  
  9df3563bc249c89433c46509b269e717bca25948fa7a5a1e4d488761c4439b28f303c0438cd008e7574d85c4d5458657650ef88656c18bf2da3ea7a314234e5d
- SSDEEP
  
  49152:vs+0RWyGsHNh7vo2/BPFZqMQj0HcvnafOdYgKlMciBkYbPLk+ZYEeqZHNQZ:U+83nKzdYD+DYEv
Score

8^/10

persistence
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
behavioral10 behavioral9
- Target
  
  Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
- Size
  
  246KB
- MD5
  
  5b65e0442761c3ba7ab13f19e696a3ad
- SHA1
  
  840cd5fabb617cdfd848ff29253b4cce79213a35
- SHA256
  
  044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d
- SHA512
  
  a5af3f57bbeea72a98fa3fcf499f98e568994a9ea29ab5558fc691d83d97decf2c9aa17d2f157442baf63c06b8fcc3c604a5098289c991cd7b061cb22cd64ec7
- SSDEEP
  
  3072:dZvq0Fnr1gWPgOYVkN6rnhccEYMY2wuoyq8pq+8MhHRIK8k4B7KHpwRXDYNdY2vx:dZvdr1bkVkNwzEJwu1Z/L8hgpwZY79
Score

10^/10

evasion
- Modifies security service
  evasion
behavioral11 behavioral12
- Target
  
  Rootkits/0925b8985b19d7925d68186d666b0050a4cb3f2a577d64765d770a57a2eab9ae.exe
- Size
  
  104KB
- MD5
  
  4f5c1bb12c487afacba8802b652210db
- SHA1
  
  83883526d86b0dcd71327bad1b1b498fd548b7c9
- SHA256
  
  0925b8985b19d7925d68186d666b0050a4cb3f2a577d64765d770a57a2eab9ae
- SHA512
  
  c3cce308fc4464ab5473d4a170e087d15672c01dffbae5ea05323b47f4350ff6d0f1f1ea213b2c0bf1a4b5b92086187da8d3760963822a0b8af5b52de58249ad
- SSDEEP
  
  1536:H2+Jxz5ugKNwH6E9RZhXl65YCo/SxeACesjw79dlz2Vgfsbg1gNE4wnX02yI/:/xzBKNk9RZ65Yr/BACesjwzstfNxuX/
Score

1^/10
behavioral13 behavioral14
- Target
  
  Rootkits/096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e.exe
- Size
  
  13.5MB
- MD5
  
  c3ecf2b0e8af05f35afa7608b59b03f6
- SHA1
  
  fa881159493fb62295847d7ec5e9d9cb616c3ea9
- SHA256
  
  096322b16a7395e5534e9db6752aab1bd54275515f33f993d066ec7b46ed5b3e
- SHA512
  
  8a1fc698e07edffb003376cf12d9e003778147ba0cf4d2f0ec58f35b84ff7b29e43dc0cb40176991ff5a5f6a549fb2b37a7a6db2c895645807c977133785424f
- SSDEEP
  
  393216:45PcbXCpS9c5hlERblh2psAdZYyz/mrWvFMU:gcgeEhk5QpsAdZawK
Score

10^/10

persistence
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Loads dropped DLL
behavioral15 behavioral16
- Target
  
  Rootkits/0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510.exe
- Size
  
  9.9MB
- MD5
  
  b24dc6c074aab9d99b73958f2e503e1d
- SHA1
  
  c8cd87746bcaa193268bbb5a47f40148a5a12ad0
- SHA256
  
  0b1b37d85a27819a8b4b9d7691e55dfc93311f7d5159433d1ac09854fcb13510
- SHA512
  
  6ac7b1c0f1a70694ecb7abe4188f6d1826f6a9c9f35d107807c35e407bed9193f7aef8efd99579f3d6ad7163d9d7d45a0cef2b50d090172758e24728ce48d781
- SSDEEP
  
  196608:maXfyBb861vQowxMwCYRE3xSnP+msNa1Z9+0ejUC6DKzkNO+NqVh:maX6eFo+ZJEBSn2mp9FejCKeq3
Score

7^/10

vmprotect
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral17 behavioral18
- Target
  
  Rootkits/2141974f665f4d8fecb6d8ea06add624b57f320f901368847175570ee716fd8e.exe
- Size
  
  2.0MB
- MD5
  
  8d54e4abe1762f96134a0c874cfb8cdc
- SHA1
  
  336f3fb4baa098ea4f54d881f2a2cf696e37c44e
- SHA256
  
  2141974f665f4d8fecb6d8ea06add624b57f320f901368847175570ee716fd8e
- SHA512
  
  fad6791b7f5071c4958041cb50e92af298544d8a6907b82afe44717e3047426e56ff02b4ed61a40af405ae5c1ead9cb688660d87ca92295e7ded4a1158e62704
- SSDEEP
  
  24576:jBm2D0GlV7LJMLMVSBsalgydd4jnYnyeiRy:M2D0mV76LMV1algAkYP
Score

1^/10
behavioral19 behavioral20
- Target
  
  Rootkits/22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4.exe
- Size
  
  327KB
- MD5
  
  da87a0a2aba605908bf8b9a3f4377481
- SHA1
  
  5cac4ea0b3f0cc2d7c04655db12ad0443cbaa5cf
- SHA256
  
  22ee7b8104599b47313195598ffc34aafd6a6552dcce0e7b3232ced3a90ac9a4
- SHA512
  
  55a8a27a013cb2c3deda81779d89ab956a5f57d00a155496abc7bf3c5a87f3b7c41058ab3681cbbd0406f69ea01c4ffc3e5779c2ca676088a68cb87f19c34c28
- SSDEEP
  
  6144:RBx7z3Bre16M01nguKBmmlbvx0zKGkl5EiCtuhNjtANJ4tDWhRaitlopYR:RnBreIfKNJVZotuhNZKxrYpI
Score

10^/10

evasion
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  Rootkits/40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b.exe
- Size
  
  9.3MB
- MD5
  
  ecc1f53b3c3aedb0b1cb703d7974ef26
- SHA1
  
  fffb993e86aa3d2b851aba1a9c50183cf186f866
- SHA256
  
  40fd1fcff12afcf503175d91a18d7a6f7b4ade68726328db38eb6fd74304561b
- SHA512
  
  2ff1dd30a72ce61ab7f87044e2f5adfac58c421f690b83bb8e31ecaf5f80aad5192a1b6b156adb0e025853b2c2f9a9fdd3801fb9af41f102f5f627b55e8339fd
- SSDEEP
  
  196608:qMaXfyBb861vQowxMwCYRE3xSnZ0Hz4S5xvpEMX0Rx/qQkq6r:ZaX6eFo+ZJEBSnmtPR9IbkBr
Score

7^/10

vmprotect
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral23 behavioral24
- Target
  
  Rootkits/659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9.exe
- Size
  
  9KB
- MD5
  
  83720e64aa1388d55324a22536bd39cd
- SHA1
  
  8fa3636a7697f953d7daa02a313981b9e3bc98e4
- SHA256
  
  659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9
- SHA512
  
  0ab402911cdefceb9a6ade0b968b10c628fed6da17097b8cd943f76527078a597425c8d0845bb86f0318ee1967dd3f43aa951f822b79933da475eb1ace70922d
- SSDEEP
  
  192:V06wXINaG3GO/p/gqEQ3UCp3syXOYWmvmKI7H:VnNt/1gG3Hp3ToUjI7
Score

1^/10
behavioral25 behavioral26
- Target
  
  Rootkits/757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8.exe
- Size
  
  9.5MB
- MD5
  
  d76e73e0235f77c9bf5578eb51a9bf9a
- SHA1
  
  23f26097829f9591164c509831b627964ffdecf9
- SHA256
  
  757cd417096f37de99461b69b70ccc532fb294b8ecbf18e3fddaea7bb6058ce8
- SHA512
  
  a41f9f136fec5842aeeb3ad87ad6874a708c374bb6680ce7a5cbd4539e262e9096825c8246b0cc5c280358e2f51c5ed5fa67050b33b67bb3e2349db3fae6db18
- SSDEEP
  
  196608:xOw0fyB+aXfyBb861vQowxMwCYRE3xSnZtAJzwCiHjx40TJnBGy4n6C:x+aX6eFo+ZJEBSnbASBHjx40TlE6C
Score

7^/10

vmprotect
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral27 behavioral28
- Target
  
  Rootkits/84ed7fec67de5621806dbb43af5167a5fc60ab7f2403448519dc0eca2b8f9022.exe
- Size
  
  104KB
- MD5
  
  d48614478c10d4cc40104f6ec7d36152
- SHA1
  
  86e57eb5616e8bb5394058a7de6bbbfdf84bb4a1
- SHA256
  
  84ed7fec67de5621806dbb43af5167a5fc60ab7f2403448519dc0eca2b8f9022
- SHA512
  
  f87ae082fbe0a43057b807ab006e13fc5a501cacf3a18bc901e2a976d44b4db7f3225d7c0fe1410a90f845906b73864c4662b4877b15d6eaccdf3299fd76890e
- SSDEEP
  
  3072:tLXMyJaOBw5tcbROV+F6QvMqP23mmCi8YA:tbLW4bsVhCiBA
Score

1^/10
behavioral29 behavioral30
- Target
  
  Rootkits/9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
- Size
  
  3.2MB
- MD5
  
  c52ce9d8ecf3e5a3f1518178e468abdb
- SHA1
  
  dcc2392a9c0cbf84c0fea37f4b4bd1bbde5d4cd9
- SHA256
  
  9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99
- SHA512
  
  1b74eed1c9bb6b261f8b9015459790f3e91bbb44ce3e74a8a974d36d23da233f0b3ce5283413c1da1e97faa1b4c7ccad6dc794fe610adf80d1961f15b383c82f
- SSDEEP
  
  49152:io6sSyg5sHNh7vo2/BPFZqMQj0HcvnafOdYCig65Mkk3pUcqtmmCgKau2FYOjRnc:DZxnKzdYcZT2YOjRN
Score

8^/10

persistence
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
behavioral31 behavioral32