General

  • Target

    file_x86_x64.rar

  • Size

    15.7MB

  • Sample

    240312-2wj56afb36

  • MD5

    66d593035319546aef95712abaeae75d

  • SHA1

    a3cd36b8662f2d99583c6bbd84f99a8cc76ed05d

  • SHA256

    6956b6c3c3e9c09c46dea9e2a1badd3de102fa788bad6dfc14d3489dd58bbdef

  • SHA512

    9c742ed10c422479693f61a4c3223314955a6c184517626e56559ea8f261d21b83335c784483aa76572e0c533b03067bb4e4b0f7fc71f36aa5d95ed8ea0996be

  • SSDEEP

    393216:47x5e3LyXU/hKPPLAIKZ7N81KTWbHLaOyXRm7Fb9Z61O/IAozZaJDbgIvG:K4CU/hEAxZ77TWbHLcXEhP61O/ZUZMDS

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.210

Attributes
  • url_path

    /f993692117a3fda2.php

Extracted

Family

vidar

Version

8.2

Botnet

4275d1ec6a7d641620468013a0ce345b

C2

https://steamcommunity.com/profiles/76561199651834633

https://t.me/raf6ik

Attributes
  • profile_id_v2

    4275d1ec6a7d641620468013a0ce345b

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

Targets

    • Target

      file_x86_x64.rar

    • Size

      15.7MB

    • MD5

      66d593035319546aef95712abaeae75d

    • SHA1

      a3cd36b8662f2d99583c6bbd84f99a8cc76ed05d

    • SHA256

      6956b6c3c3e9c09c46dea9e2a1badd3de102fa788bad6dfc14d3489dd58bbdef

    • SHA512

      9c742ed10c422479693f61a4c3223314955a6c184517626e56559ea8f261d21b83335c784483aa76572e0c533b03067bb4e4b0f7fc71f36aa5d95ed8ea0996be

    • SSDEEP

      393216:47x5e3LyXU/hKPPLAIKZ7N81KTWbHLaOyXRm7Fb9Z61O/IAozZaJDbgIvG:K4CU/hEAxZ77TWbHLcXEhP61O/ZUZMDS

    • Detect Vidar Stealer

    • Detect ZGRat V1

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Stealc

      Stealc is an infostealer written in C++.

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Contacts a large (3888) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Creates new service(s)

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Language/WinRar.exe

    • Size

      3.2MB

    • MD5

      b66dec691784f00061bc43e62030c343

    • SHA1

      779d947d41efafc2995878e56e213411de8fb4cf

    • SHA256

      26b40c79356453c60498772423f99384a3d24dd2d0662d215506768cb9c58370

    • SHA512

      6a89bd581baf372f07e76a3378e6f6eb29cac2e4981a7f0affb4101153407cadfce9f1b6b28d5a003f7d4039577029b2ec6ebcfd58e55288e056614fb03f8ba3

    • SSDEEP

      98304:lJXOBfK92HbAw0CNB3kJElzNsy8vGUvfCo3ABH43:lJ192HbAXCvDlzNsy8vGUyo3AB8

    Score
    1/10
    • Target

      Language/an.txt

    • Size

      7KB

    • MD5

      bf8564b2dad5d2506887f87aee169a0a

    • SHA1

      e2d6b4cf90b90e7e1c779dd16cbef4c787cbd7cf

    • SHA256

      0e8dd119dfa6c6c1b3aca993715092cdf1560947871092876d309dbc1940a14a

    • SHA512

      d3924c9397dc998577dd8cb18cc3ea37360257d4f62dd0c1d25b4d4bf817e229768e351d7be0831c53c6c9c56593546e21fd044cf7988e762fb0a04cd2d4ec81

    • SSDEEP

      192:ifEAGRBQ0p/74r5jMdDTSBXgDQ7V8vBOC:iV5o74r5jMdY8l

    Score
    1/10
    • Target

      Language/ar.txt

    • Size

      12KB

    • MD5

      1c45e6a6ecb3b71a7316c466b6a77c1c

    • SHA1

      04bf837911fa31ffca8e034158714b47f6489d38

    • SHA256

      972261b53289de2bd8a65e787a6e7cd6defc2b5f7e344128f2fe0492ed30ccf1

    • SHA512

      5358bb2346c9f23318492b5e7d208e37a703c70d62014426eadd2dd8cda0b91c9d9c2a62eafe0137faefb38bf727fd4d5d8dc18394784ccae75ae9550558e193

    • SSDEEP

      384:7+CIwRJQh3hY4+6TRxAFqpdQbCs7ZpN4QyRl3fcxMZXj4V/2QT:LJi3K4+60Fqpd8Cs7ZpNryRl3fcxMZX6

    Score
    1/10
    • Target

      Language/az.txt

    • Size

      9KB

    • MD5

      81b732a8b4206fb747bfbfe524dde192

    • SHA1

      4d596b597cf25ff8d8b43708e148db188af18ef9

    • SHA256

      caec460e73bd0403c2bcde7e773459bea9112d1bfacbe413d4f21e51a5762ba6

    • SHA512

      8667bff18a26fe5b892ecfdc8d9c78ecc5659b42c482e1f9e6eb09f7cf5e825584851cd4e9a00f5c62d3096d24cc9664f8223c036a4f2f6e9c568269b2fbb956

    • SSDEEP

      192:iQMqAQbtI+SY+oEDQM0ia9mh/Vg/HksiM0ko3gvje2ojVPC1vUZzxEBa2U:i7SrSYzEsMDV4P0kggv6pCahxEwr

    Score
    1/10
    • Target

      Language/mn.txt

    • Size

      8KB

    • MD5

      8756027adf94b3cc3d6c42f0d3fb4af0

    • SHA1

      823bdbc5abf1d2f3528aa319a417ee090d1c6928

    • SHA256

      cf5245d17224f85011ed85062957dbfd936dd760a214980fc8f2eb69e6ba3cfc

    • SHA512

      92715a814d24318533ba26af542b174df12e5d8cd40251bc27890345eb6c64d174448745b2b138bd0a7e0fa0d96b803fab9b29f89767729e64a95b164fb27f29

    • SSDEEP

      192:i2GVqAYj834yHocynU6GwgeBLHvNlIfYfFCkMupHCwFxhjPQtQP1d/R1JTPUJ:i7kIYfUjuZxhDDHZQJ

    Score
    1/10
    • Target

      Language/mng.txt

    • Size

      20KB

    • MD5

      ba28c5c312d1a7827b40ed84f1f6f85b

    • SHA1

      72788c4b14c47a3988245e81fc6e7bbb8f88442f

    • SHA256

      92898472c1db5248b0556fb5bafda8090684249b561de5ef2a84c10f2f4383ca

    • SHA512

      35871824adede6169118087d28fe3c78ea09cb259c7c168e83a22ca74c024d9f0d61250ad1fc9f75b71a8ee5235a12ffd52c146b8232b7bea84ec024b19da7d5

    • SSDEEP

      384:ip3jpGUSlwi6aHQIXqB6B22bKP995BOqB8A5Y8KsC3u6cIVFJFGtMksJYkXoFs85:MWJbm50qN5Esd6t/XWjgqVpzs4XZd8sL

    Score
    1/10
    • Target

      Language/mr.txt

    • Size

      10KB

    • MD5

      2e9fc42dbd17e30f8db8205fa2d18543

    • SHA1

      60639e6d06a38d5c507136c130a172d606b698e7

    • SHA256

      08b8f7ff35dd4315133e04fd17b6fb896d63b9c87040a2cc68a83e81ea4efd78

    • SHA512

      7e1aa7234dc2c07654847de01600787ba735e9ccf5d376d37696f3810418a357beb1d611a164fdfd7a24ca33e7bed150df08187d4ade6c973c45be5df74fd95f

    • SSDEEP

      192:iSdCIrunpyKHseL4bzwltFrjVL0TEpbpFeki8rJNhBB:iSt6pypS4A7FYA1r

    Score
    1/10
    • Target

      Language/nl.txt

    • Size

      8KB

    • MD5

      54169e744254bb5a4182bcb2678f8479

    • SHA1

      244ff8c38c8da10e20282cf74a08e18ab165640c

    • SHA256

      8a74f64c91c25da6056b054d388bf1bbd97384ad7d0086f86df0240e077c6149

    • SHA512

      b798027c10f2aa7f06fa4fc3473f3040a23968d967aa93c08d072f86da2747d7847f8d7b37bc796a8270721c200978c61b1a4a5c6fd8b87845fdbb1337a142a2

    • SSDEEP

      192:i3oJFqYSagoQss8Yok0y0qiqfUaep0XTrsv3H2TzQEjsrKdOZhGcicbyoL0rnycW:i3AQZUaemXTOWTMosI9loAry34sf

    Score
    1/10
    • Target

      Language/pl.txt

    • Size

      9KB

    • MD5

      2cdf63e6b3f3a474465d0d88e5386718

    • SHA1

      aa4f3f839b35c68ea2a17e7a63053262e94f952d

    • SHA256

      223c109301a7bbf01fc57c42609083b28e3fcededc1f6e6dcdfdc8ec1580c51d

    • SHA512

      db7c086b9fd9111d468b7bb4f55455524fe161869c20c20ad7e65e5b8eee38fd4e3b19aaa183c69c87d2c61f4561d12c90aa966a07156f193af59bcb6db10ff7

    • SSDEEP

      192:iny0xONopVdHc+Xmy9hk1s6i+6rELzpZ6+0FVEleeNRChH6ufZfjp8Rb:in3xOgvXm9s5+6QLz+jUlX2rp8Rb

    Score
    1/10
    • Target

      Language/pt-br.txt

    • Size

      9KB

    • MD5

      7b02e1ae16e2e709d7c97de560b4dbe9

    • SHA1

      191a54644417f7d36f5cb4182dcdb3737d74be51

    • SHA256

      da0b58f52bbc131f967942d1d8e9de1b5721ae864bc21852a0ad4062332297cb

    • SHA512

      4f689f854db3f766b5e53ce2f19e9f8293c075ee3f9b18098eb05b352f2ec95df85e49a78540781eb531bce60c7b1f7890f1fe3c65200dec3cb908e90fb827a1

    • SSDEEP

      192:icoGT04mzNN8hYivh5gtE/PkjY09fdNQuQ:ibGg4mzNhi4tEHoDfHQuQ

    Score
    1/10
    • Target

      Language/ro.txt

    • Size

      7KB

    • MD5

      e3ee837f02a1f6e4b2213eb36c025284

    • SHA1

      56ccafa0f9c3d805a845311c2ebd80c93a595b17

    • SHA256

      f168bb4d026782134cc6c261006b815850e753a27fb47c4f23ee617666459a66

    • SHA512

      a923f953af5df72e04b5c38e523a003b85c0ed74e20ae1c3a2d4848828e03de8e703953cfcf653c148a0eeaa9365f9187804de0d534435ccb90dac1c4ea68a63

    • SSDEEP

      192:iVF8khF2yUYtHwfajHwKlPVS6LWbsWGGqZfG7ORVCPF27l:iD8mUYtHCxuPjWQu6KP0x

    Score
    1/10
    • Target

      Language/sa.txt

    • Size

      19KB

    • MD5

      9fe4da297163a84fe9d0b0289b1af077

    • SHA1

      d14a6a318a50f2f13e45b2269ea2ad8fc5e3c44a

    • SHA256

      a44e8c328bf809890aa6ca883e2cb82b6c5207d9636e9a91253da4cd893668c8

    • SHA512

      a6fee2f3d6448f1f5be6ec88b51fb65ebd07c7ba3dbaf2f7a801fef54b9da410e6b800094853180a884889b304ea9a54672781fa7d0f1067af6c4a63c494a44b

    • SSDEEP

      384:isw3ma17q9ntvNTsld5VFxxwMkAGO310F0klrfofmR7HOwPyng:HwQvVnQg

    Score
    1/10
    • Target

      Language/sk.txt

    • Size

      9KB

    • MD5

      ca2b22d21945a478757a099eeafdf9a9

    • SHA1

      5efbf215647e82ddeaa4c83d064ef83b51413dea

    • SHA256

      e571c0d87b50f4659099b4ca618057533c22578066e411c5ceb3df8be1e77cff

    • SHA512

      40365ac6cdd70ff7b7ab09482e1e9263b1b131772019eda357007d029a879111da72b05756adbfc3206b1c060211a16b5f10d507fb0caa3696907c8433fe9537

    • SSDEEP

      192:ihqYyHuLGHP372c79qAFklXva+hF+zmTzeNMR:iMjUGHP72cJqAFAXi+hs0aNMR

    Score
    1/10
    • Target

      Language/sr-spc.txt

    • Size

      11KB

    • MD5

      ffd26304b9b5fae8547703515e84460d

    • SHA1

      cff3f023bb47ca3c6c3db202cd8c126b0bb2f59f

    • SHA256

      283dd99ec8d13784b3d79c36766cdb16dac0ede0c1c09e8b1efa64f5dc2c1a55

    • SHA512

      0a4e39e2598c73f936e4c8bd56201fee00aeb5daab0d7b735d5137a8b7c15830b40f028c77b528b75653540836098f5e8fc059111dd2efbd0a46ddbdf97465c1

    • SSDEEP

      192:iCk9ED/u0/rzMXyBMtR/TL0wN1i9Rd9u3ZDxoAF9sOVbvmyz3xnvze0kIqLm3HGX:iCk94zBWv0b9P9gZ1lLhnbe8q0tfsH6o

    Score
    1/10
    • Target

      Language/sv.txt

    • Size

      8KB

    • MD5

      2ec8b6f0c0c05157ae90aba540debed1

    • SHA1

      56de30674cf6ed17ae1fd42080214573b8383789

    • SHA256

      54112b265ec01759adbf72dc856ff0f9dbb2b3029eff8a56de08dffc5d3dc954

    • SHA512

      6cb83b0d3db5254e47f86100c38be073f257b4f2e643f14e91df9ccac36a631bf06e52ce8f98106f5a17cf19745f2b6277605968bfeb9e0d423b1fd3ab5c0a06

    • SSDEEP

      192:iIRthqlCnYhI0sbVA28ta0obRFz+3uCFQ9/FLFDLb0Y620X9CWHdfSzuQ3lBMjiC:iIzhdnY+bi2tWIFLJb0Y62dWHuTlC

    Score
    1/10
    • Target

      Language/ta.txt

    • Size

      12KB

    • MD5

      228ca6d7b8d850853233c4575a7ebf1f

    • SHA1

      4bc90fca87925f7d855972f5dc67ef5e9e29b438

    • SHA256

      0a3b285566bbeb3f188b3c72ba21cbfc545ea05471eab706e972c828da5234e0

    • SHA512

      2995d1c2bacc8c0ee757fc47fe9c8ac07f1ee74ae3a70bbbcc66cbcfa13a924855b3f7515d04031434870829be34f0fb49a35388eaffacc0e7a33f9a44a02870

    • SSDEEP

      192:igMxAhP2NKfBuRZjaaC1e13/BNhpYY+KEHtiAnCuu1+AuvB1nNh11N:irlNZjagbAn3

    Score
    1/10
    • Target

      Language/th.txt

    • Size

      15KB

    • MD5

      8ee06a03dc18e5f8bc750cb6a78f6d9c

    • SHA1

      179c195700df844216c2cabdc17062cddbd1d6b3

    • SHA256

      01e7b965bd4b722003f74b4e4b30ef6a1baea67108816d1b9f8d6add39c7fa10

    • SHA512

      4c908ba391bac8bd36bf76b5c3b59dd59eb71f2513bcd04c47cbde683ad463c0feac5d5aada67730f3f566156c4beff09cd7b7d1eb043b988ad7938b9041c4ec

    • SSDEEP

      384:ir9n+rMUfsqjeWnShfO1LpBIB9jip10zsPRO2a8fUhe1RBC6sl4wjn/PqIpqINAG:09n+4csqjeWnSh21LpBIB1O10zsPRO2e

    Score
    1/10
    • Target

      Language/va.txt

    • Size

      6KB

    • MD5

      639741f687d4427c9d3b170b1ced41a9

    • SHA1

      ad3d3a09b8877381df520e6eb654227da045b89d

    • SHA256

      f43c31bd959a752eefbb7c76ed918c4cacd50d43706121c55093d72a638fa7a5

    • SHA512

      eb63b0437624782d2bcd033905c7c0538902f9644e4facdc52d094ede5353309613b4eef3cb437d4f69c2a4fd4b2e0f241990aaa3a38366685b10cabec20a357

    • SSDEEP

      192:icd/FL0HKwFgPqtXdN3K3TIcmqHfc39vNH:i65wCitzaj5E3P

    Score
    1/10
    • Target

      Language/yo.txt

    • Size

      10KB

    • MD5

      698af9267c08d61b712417491da6a3bb

    • SHA1

      01f21ce60e571699b006098afe9520c02d4e11dc

    • SHA256

      ffab6b91ffd2d3c2b1f7f431b47f7d28aa17a11587b876565613bb26c173402b

    • SHA512

      d37f63d3824d12d9bd4749ea94fce924f3a5469874d6777261f0570a2a7ef28574825fae199408c0e1eee7061b08c447da8744a1c2fa486981165ab5062fc8a9

    • SSDEEP

      192:7XgmEsBVCxtNc/EcoGFGDbMOw3WmkmSAGplG0v6k6P89Y6QVkixHxXUE4zVG9uRt:7XgECxuGbMO3/J3PL9zyezVGw5

    Score
    1/10
    • Target

      Language/zh-tw.txt

    • Size

      7KB

    • MD5

      acfc57de6b0e4489287bdafe2062409a

    • SHA1

      dbf62f8c6dd239aa16bfd62500517b849ed8e5b4

    • SHA256

      37c79297f8d4e491d681b556c23d957bc830068ae1d5f4535fd054c2233f3474

    • SHA512

      50a76a2c5a61056b2b9efaf143335d86c5882d97c9d42acf29ca87cd39d79876d561ec0fe83fb377e25379cfebf593b782ecd8613d2a84ac33cbb6d8314481f1

    • SSDEEP

      192:i965RTllmRwM4cO+VnoF0HDczLXO7AJ8YRcaBxU+G9dDRI:i9MRTPUZO+VaoDcmRYUhXRI

    Score
    1/10
    • Target

      LiteRes.dll

    • Size

      735KB

    • MD5

      88962410244bc5c03482b82a7e3cb5e1

    • SHA1

      4622be2d3deda305bf0a16c0e01bc2ecf9d56fad

    • SHA256

      afa884228afc5c05f4b47e90b6de42854d5a8886ec5ed15a253faeccd5309036

    • SHA512

      c6e7667f91c1439e33ad4d9e2052b7c9fcc3ca2c7688d9e2bc0550b71a5762b76aa76427331df0217429d9bd984925997c7a8d009f25e44e2776c5ce7cc9d98c

    • SSDEEP

      6144:x9Ej/jb82/HRoXO1q2pt+Mc1/PDPicsUzM+gYESoE/wOuET8F62bH5vnGfcJvl+b:fqptG/PDPo0no2Iq8F6CHBTWqU

    Score
    1/10
    • Target

      LiteSkinUtils.dll

    • Size

      48KB

    • MD5

      059d94e8944eca4056e92d60f7044f14

    • SHA1

      46a491abbbb434b6a1a2a1b1a793d24acd1d6c4b

    • SHA256

      9fa7cacb5730faacc2b17d735c45ee1370130d863c3366d08ec013afe648bfa6

    • SHA512

      0f45fe8d5e80a8fabf9a1fd2a3f69b2c4ebb19f5ffdcfec6d17670f5577d5855378023a91988e0855c4bd85c9b2cc80375c3a0acb1d7a701aff32e9e78347902

    • SSDEEP

      768:FPGeoWyuTx6vrP/zAdWQS6Z9CSKh64crVKTl9inMUAK:tGeJxIHepSKzjVK9iMUAK

    Score
    1/10
    • Target

      Resource/CMap/UniKS-UTF16-H

    • Size

      128KB

    • MD5

      f65c06189a55139e13885d9716bfe35c

    • SHA1

      394285fed905d0f4c2c21230da50626b0a31a037

    • SHA256

      ab87d320c81e4c761b7a4cbd342e212db4ebe169b5d10848f2f57d828874e342

    • SHA512

      caf07d2623861f60d79acfb313978b89f9cd8feea0bed0fe28d25286d197b62b9ef9a41130586d731dc43aeae817eaaa87c9cac31d9bd1fdb82591146e0fa2cb

    • SSDEEP

      3072:EbOks6xITS4gmLJpAEhFDDvBB4TS+JjXsc:jjTvIN3

    Score
    1/10
    • Target

      Resource/Font/AdobePIStd.otf

    • Size

      83KB

    • MD5

      8653bfe4c32a8528e981748e28c59570

    • SHA1

      dec8dd8cba986f5852286c8b8e45c6270aeab65a

    • SHA256

      5dbc496c0b5a12d9f9ffdb83a46b9fcda8d1fc1fcd50832c783be5e9277a698e

    • SHA512

      66e39798ca8bba9af51f44e81b77ac1703f488b6361bfb05de632fbb2726e5f1291f0210be0fc933459bea78fa433177b33e34be977c079c97c5330d6590e7fb

    • SSDEEP

      1536:PmsMC/asb+Q+fGZNbDvdtlT9Mnlx643McbQqc80U0zy26RR38e8kscXqHZ3MD4ea:BMjlINbrdFMnP6hcbQq8Bn6IPksF8E

    Score
    1/10
    • Target

      Resource/Font/CourierStd-BoldOblique.otf

    • Size

      31KB

    • MD5

      6804e7413898972e05823add91b1dfc5

    • SHA1

      4dfc3cecd9d3c26afaca087a69376eb6abfedeaf

    • SHA256

      698fd9169ad62bd6faedd1c8e8637abc9cc65b3b1a5ba8698242b1447303fbee

    • SHA512

      f89a494aa7dae22022cb4bddf911c9fb8f40220c5d49bba79e5b7f97191fcc2740088437d3e56e6903e0b10aaf5535b4ce08dbe793a0e800d23038196ebf5fc6

    • SSDEEP

      768:edluzc2NPniJMT9BvYsWShVcbZks6AnkXhUZxX:edluz3piJMpusWShVcbZkfAnk2Z1

    Score
    3/10
    • Target

      bentonite.cfg

    • Size

      963KB

    • MD5

      e7c43dc3ec4360374043b872f934ec9e

    • SHA1

      6514933e53c6eb9594786a773f75595b0eafeaf7

    • SHA256

      658ac17f4047ccc594edfd7c038701fe2c72ec2edf4aefe6f3c2dd28ab3dd471

    • SHA512

      43b8cb4cacf8bc1e26f7c6af4e58d877287057975b3e28c52d4a3afa478b447a921fbde729ef24be9eb3858c00968455a6873a67e409a6a3fe6a35703470bd6b

    • SSDEEP

      24576:gvnQ8rX+HfLmktxk2ZtrWIxff17XIDHVuJnUNObt/D+jQ9e+k:gvnD+SaZt5X2qAyasev

    Score
    3/10
    • Target

      setup.exe

    • Size

      799.0MB

    • MD5

      1056261febd0e026b9743d803c68b437

    • SHA1

      22405989ed8a34ab2a55872b2e19e58c36ba4544

    • SHA256

      47a436775683fe0139dd874f8348030ff1a9a5aaa34ff279f4f22aa002c33ddf

    • SHA512

      9b1616658e22e605e91ef2cd7766de1e70b055d1260bedc90cda16de0070d84a8836788253ae1595250794323615435480bb70dbe8917ff5ea67c4e07b609993

    • SSDEEP

      98304:eT/dSjTOJNuv9NvJFkvE1SvKPxqY9Cfgsx7ehATwlfm1F4gjnk+GlU/1:4wTdNvJCEQ8qYwfgQJwm1mik+G

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

gluptebastealctofseevidarzgrat4275d1ec6a7d641620468013a0ce345bdiscoverydropperevasionloaderpersistenceratspywarestealertrojanupx
Score
10/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
3/10

behavioral27

Score
3/10

behavioral28

evasiontrojan
Score
9/10