General

  • Target

    Meteor.exe

  • Size

    7.0MB

  • Sample

    240415-3dmzrsba92

  • MD5

    c8bc5cc6e979bc02d7e86337e8717b71

  • SHA1

    e222ecdf20a499458bb3034dfa63afa06170ca1e

  • SHA256

    5531e970106e4d2a795f30972e39875b6a70ee607d0c711af489257ac27373c5

  • SHA512

    bfe05c313c7a90b86c5a78bb56af423502172dac3f6509a1a7f9cfc3178ff62e66060764ea0759242118d875d49ab14282bb6db7aa0548ad56cf15c6229741a4

  • SSDEEP

    196608:Wtssswjou6oimkRnBJ4l90AnIkky4fYL:yUu3imMnwoy4FYL

Malware Config

Targets

    • Target

      Meteor.exe

    • Size

      7.0MB

    • MD5

      c8bc5cc6e979bc02d7e86337e8717b71

    • SHA1

      e222ecdf20a499458bb3034dfa63afa06170ca1e

    • SHA256

      5531e970106e4d2a795f30972e39875b6a70ee607d0c711af489257ac27373c5

    • SHA512

      bfe05c313c7a90b86c5a78bb56af423502172dac3f6509a1a7f9cfc3178ff62e66060764ea0759242118d875d49ab14282bb6db7aa0548ad56cf15c6229741a4

    • SSDEEP

      196608:Wtssswjou6oimkRnBJ4l90AnIkky4fYL:yUu3imMnwoy4FYL

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks