dd77515cfe3af20154c0b3f87abc3f7082d4c0875b646e018b87a8da8de83d80 | Triage

Submit
Reports

Overview

overview

Static

static

1

anygo.exe

windows7-x64

4

anygo.exe

windows10-1703-x64

4

anygo.exe

windows10-2004-x64

Sharing

General

Target

anygo.exe
Size

101.1MB
Sample

231119-yqnplscb5v
MD5

86c8c71925193104ab11fb90b62a2c26
SHA1

f8535c08a873045ee53f56735464f96de80bf18e
SHA256

dd77515cfe3af20154c0b3f87abc3f7082d4c0875b646e018b87a8da8de83d80
SHA512

d9800245bf12c5c3a0c6d1e4f315b5aa1bd90db0fb242fc01cbc58360973e678e162943b21c0abca11d3e798b0769b07b12ba5639ebf8c44124af5f931a72314
SSDEEP

3145728:N9t1MVL42RB8P/JZn7+uZDO1ncY6Qf8A1s7x3VenQ:N9t1Mq+inJZ7RhO1cJQ0Co/

Score

10^/10

discovery evasion persistence spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

anygo.exe

Resource

win7-20231023-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

anygo.exe

Resource

win10-20231023-en

windows10-1703-x64

6 signatures

150 seconds

Behavioral task

behavioral3

Sample

anygo.exe

Resource

win10v2004-20231020-en

discovery evasion persistence spyware stealer vmprotect

windows10-2004-x64

30 signatures

150 seconds

Malware Config

Targets

- Target
  
  anygo.exe
- Size
  
  101.1MB
- MD5
  
  86c8c71925193104ab11fb90b62a2c26
- SHA1
  
  f8535c08a873045ee53f56735464f96de80bf18e
- SHA256
  
  dd77515cfe3af20154c0b3f87abc3f7082d4c0875b646e018b87a8da8de83d80
- SHA512
  
  d9800245bf12c5c3a0c6d1e4f315b5aa1bd90db0fb242fc01cbc58360973e678e162943b21c0abca11d3e798b0769b07b12ba5639ebf8c44124af5f931a72314
- SSDEEP
  
  3145728:N9t1MVL42RB8P/JZn7+uZDO1ncY6Qf8A1s7x3VenQ:N9t1Mq+inJZ7RhO1cJQ0Co/
Score

10^/10

discovery evasion persistence spyware stealer vmprotect
- Modifies firewall policy service
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

discoveryevasionpersistencespywarestealervmprotect

© 2018-2025

Terms | Privacy