Extracted

• • Target

    a7613e5c267e7f270918ef87fcb1e45c

  • Size

    7.8MB

  • MD5

    a7613e5c267e7f270918ef87fcb1e45c

  • SHA1

    5ce965496ce1d9eea2d78548854bd486c11329d1

  • SHA256

    1b9c4646b8840ef2d2a24603ffa2efa695ee29002c0057d4ba558080f2c485b6

  • SHA512

    19888cf9937c44770dff47027ada8ef8eaa46cc849717ec0fb46bb32d07434b3b851efa708decd2fa18c07333cc247d35e03d71fbd386caea839bf44cdd7c0d2

  • SSDEEP

    196608:LIRcbH4jSteTGvCxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuCxwZ6v1CPwDv3uFteg2EeJUO9E

  Score

  7^/10

  persistenceupx

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2behavioral3behavioral4