General

  • Target

    74c738ec680d1ff87c135833211a88dd

  • Size

    5.9MB

  • Sample

    240125-qdbkhshbak

  • MD5

    74c738ec680d1ff87c135833211a88dd

  • SHA1

    12040b15530b5b80de79faa122d095341c388b60

  • SHA256

    bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975

  • SHA512

    a002eaf05daa6b8826fb73fe4beef075c647ceb0a59198ae223329497b92487fd2a029ad0a7c1bd13656e02d9d22506a148dbe46733b89ed675b77c8aae07ad1

  • SSDEEP

    49152:VDIMT1Lr5k16MadwH/MiaK+zRHhHreL+lcTQxexi5rFN9rr1x0QDQcUhoecxyA+P:pm

Malware Config

Targets

    • Target

      74c738ec680d1ff87c135833211a88dd

    • Size

      5.9MB

    • MD5

      74c738ec680d1ff87c135833211a88dd

    • SHA1

      12040b15530b5b80de79faa122d095341c388b60

    • SHA256

      bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975

    • SHA512

      a002eaf05daa6b8826fb73fe4beef075c647ceb0a59198ae223329497b92487fd2a029ad0a7c1bd13656e02d9d22506a148dbe46733b89ed675b77c8aae07ad1

    • SSDEEP

      49152:VDIMT1Lr5k16MadwH/MiaK+zRHhHreL+lcTQxexi5rFN9rr1x0QDQcUhoecxyA+P:pm

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks