Malware Analysis Report

2025-08-05 09:32

Sample ID 240228-jyrznseh7x
Target 691ef3891d5c155f2689647f2c441617.exe
SHA256 bfbf60a70d1dbdd452f3b3bc819ce5804b5fc4baa028af084c2e84abaf73bb65
Tags
bootkit discovery evasion persistence spyware stealer trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bfbf60a70d1dbdd452f3b3bc819ce5804b5fc4baa028af084c2e84abaf73bb65

Threat Level: Likely malicious

The file 691ef3891d5c155f2689647f2c441617.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion persistence spyware stealer trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 08:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 08:04

Reported

2024-02-28 08:07

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe

"C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Network

Country Destination Domain Proto
US 149.40.62.71:29811 tcp

Files

memory/2828-0-0x0000000001390000-0x0000000001E52000-memory.dmp

memory/2828-2-0x0000000077140000-0x0000000077187000-memory.dmp

memory/2828-3-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-1-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-5-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-8-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-10-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-12-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-14-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-13-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-16-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-15-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-18-0x00000000776B0000-0x00000000776B2000-memory.dmp

memory/2828-19-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-17-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-20-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2828-21-0x0000000001390000-0x0000000001E52000-memory.dmp

memory/2828-22-0x0000000001390000-0x0000000001E52000-memory.dmp

memory/2828-23-0x00000000011E0000-0x0000000001220000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2828-32-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-33-0x0000000001390000-0x0000000001E52000-memory.dmp

memory/2828-34-0x0000000077140000-0x0000000077187000-memory.dmp

memory/2828-37-0x0000000001390000-0x0000000001E52000-memory.dmp

memory/2828-38-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-36-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-35-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-39-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-40-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-41-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-42-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-44-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/2828-43-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2828-45-0x0000000077190000-0x00000000772A0000-memory.dmp

memory/520-46-0x0000000000150000-0x0000000000158000-memory.dmp

memory/520-47-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 08:04

Reported

2024-02-28 08:07

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe

"C:\Users\Admin\AppData\Local\Temp\691ef3891d5c155f2689647f2c441617.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 149.40.62.71:29811 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 147.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4516-0-0x0000000000D80000-0x0000000001842000-memory.dmp

memory/4516-1-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-2-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-3-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-4-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-5-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-6-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-7-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/4516-8-0x0000000077C04000-0x0000000077C06000-memory.dmp

memory/4516-13-0x0000000000D80000-0x0000000001842000-memory.dmp

memory/4516-14-0x0000000000D80000-0x0000000001842000-memory.dmp

memory/4516-15-0x0000000006AD0000-0x00000000070E8000-memory.dmp

memory/4516-16-0x0000000006300000-0x0000000006312000-memory.dmp

memory/4516-17-0x00000000064B0000-0x00000000065BA000-memory.dmp

memory/4516-18-0x0000000006360000-0x000000000639C000-memory.dmp

memory/4516-19-0x00000000063A0000-0x00000000063EC000-memory.dmp

memory/4516-20-0x0000000006690000-0x00000000066F6000-memory.dmp

memory/4516-21-0x00000000077A0000-0x0000000007D44000-memory.dmp

memory/4516-22-0x0000000007290000-0x0000000007322000-memory.dmp

memory/4516-23-0x0000000007330000-0x00000000073A6000-memory.dmp

memory/4516-24-0x0000000007430000-0x000000000744E000-memory.dmp

memory/4516-25-0x0000000008320000-0x0000000008370000-memory.dmp

memory/4516-26-0x00000000094A0000-0x0000000009662000-memory.dmp

memory/4516-27-0x0000000009BA0000-0x000000000A0CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1800-41-0x0000000000300000-0x0000000000308000-memory.dmp

memory/4516-43-0x0000000000D80000-0x0000000001842000-memory.dmp

memory/4516-44-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/1800-45-0x00007FFE77BA0000-0x00007FFE78661000-memory.dmp

memory/1800-46-0x00007FFE77BA0000-0x00007FFE78661000-memory.dmp