Overview

overview

9

Static

static

3

vacuum.exe

windows11-21h2-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vacuum.exe

  • Size

    7.0MB

  • Sample

    240427-g2nejsch32

  • MD5

    777355080ce4b38e03e3bae0ce8703ad

  • SHA1

    f8c457e2cca750a3ddfeeb504952475deb5bab2c

  • SHA256

    e6a084a656921b8c78e2bc76540e86d914355628db8035a0c3b34df444f7d78b

  • SHA512

    55e8b94a07ca463184d189f3a280d3a0e3acc34c6f7b76c14d156e0fcb7524c034f69185f7bea37da11a24386e4c899f99eeed2597970efba979b6d1b39f1d94

  • SSDEEP

    196608:CmIKnxUeWniz4u7OoZdt8DCJpPT8Lny+G:CDKxS+Vhdt8Dwcy+G

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      vacuum.exe

    • Size

      7.0MB

    • MD5

      777355080ce4b38e03e3bae0ce8703ad

    • SHA1

      f8c457e2cca750a3ddfeeb504952475deb5bab2c

    • SHA256

      e6a084a656921b8c78e2bc76540e86d914355628db8035a0c3b34df444f7d78b

    • SHA512

      55e8b94a07ca463184d189f3a280d3a0e3acc34c6f7b76c14d156e0fcb7524c034f69185f7bea37da11a24386e4c899f99eeed2597970efba979b6d1b39f1d94

    • SSDEEP

      196608:CmIKnxUeWniz4u7OoZdt8DCJpPT8Lny+G:CDKxS+Vhdt8Dwcy+G

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks