General
-
Target
OverWolf_Crypter.zip
-
Size
36.5MB
-
Sample
240501-yzy7psfe3y
-
MD5
6d2675dad2efbb61a8209337043cd06d
-
SHA1
53d9c069729291c6c567082dab3152ff102164dc
-
SHA256
fb35fa679d6452d6944de5029b1f9c39749d890d3322b90c017d35d78ac7b095
-
SHA512
07b8d95879a8f92dbbb67b2c9ba84a7cd50e1feeadbdda63f9cabf70e94a5a9496114199088b1f728c40cc797b105d86132e2927f94983df0e32bdd177daeaba
-
SSDEEP
786432:Ip4PvgSVcZuPrdc9mbxBXv1JvJEbWUGeIfaR5Zsegcx4a+kODq2:IKPvjcuRBb31JvJ2GnsZs5OODB
Malware Config
Targets
-
-
Target
OverWolf Crypter 1.1.exe
-
Size
35.3MB
-
MD5
dea64aebd0b2051617afb8125de0d53e
-
SHA1
b0e4a4b64505d739e8b6cf0cb19daf7f19934e00
-
SHA256
50062d171fd4f80379d3a1bdadc1c4c6c4ac6a2640e708d8471f3dc9614e5ed4
-
SHA512
4d8f781c98dcfbfb9a262127a8fba6042901a49e2dfbeab57212b2ae72930718840dfdbf20058b206c149039c19a8f7be4b13a5c9d8185e572664f2c93160a4e
-
SSDEEP
786432:MfeJhmSTrKdgwppe+aJEe77zZY+HRzO/DPeZry7zd0:jpR+a6CJYGRzO/beVym
-
Detect ZGRat V1
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-