General

  • Target

    UnparkCPU.exe

  • Size

    876KB

  • Sample

    240122-ycybwscfan

  • MD5

    254fe03a202beb7d68bc322f200a480c

  • SHA1

    8b7b41baa2f7fa830b52a4f70641d6f933018c7a

  • SHA256

    8fce32ef6687aeb691c1a9427cfbf11fd6e9c0407bb8dcbab1f839d88077172e

  • SHA512

    e69df4072539a443fef25bd4a061ff832e905b30789acd683b982f0c98636830af29ed84f2e11c0f074ea7bc7b2854adb9cb2f8d9fdd8c4496c5f952ab39ebdf

  • SSDEEP

    24576:P7n9hdfIh7UlrVCReU1VijlsVCReUiaiU:P7n9hdq7Ulr4ReUfijls4ReUhi

Malware Config

Targets

    • Target

      UnparkCPU.exe

    • Size

      876KB

    • MD5

      254fe03a202beb7d68bc322f200a480c

    • SHA1

      8b7b41baa2f7fa830b52a4f70641d6f933018c7a

    • SHA256

      8fce32ef6687aeb691c1a9427cfbf11fd6e9c0407bb8dcbab1f839d88077172e

    • SHA512

      e69df4072539a443fef25bd4a061ff832e905b30789acd683b982f0c98636830af29ed84f2e11c0f074ea7bc7b2854adb9cb2f8d9fdd8c4496c5f952ab39ebdf

    • SSDEEP

      24576:P7n9hdfIh7UlrVCReU1VijlsVCReUiaiU:P7n9hdq7Ulr4ReUfijls4ReUhi

    • Detect Vidar Stealer

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks