988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f

Sharing

Copy URL

Twitter E-mail

General

Target

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
Size

14.3MB
Sample

240521-ttbr1abe64
MD5

3f05981c960cbf724d8aec6ff2e5a66b
SHA1

d7e9338356e85a1824c76dfb10216bd84becb048
SHA256

988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
SHA512

e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
SSDEEP

393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws

Score

9^/10

Malware Config

Targets

- Target
  
  988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
- Size
  
  14.3MB
- MD5
  
  3f05981c960cbf724d8aec6ff2e5a66b
- SHA1
  
  d7e9338356e85a1824c76dfb10216bd84becb048
- SHA256
  
  988f5cc56caf26115f78a50166cac0dd7724d11a2501f04bafc263d57b86e34f
- SHA512
  
  e461cf6ba6ecc48d7644054b67157b239a627e1021f4b47ab1da806d941fef2e85321ca537fe6b9caf2c0db19aa03c0adc230da594ac224ac5a019ff73e92ffb
- SSDEEP
  
  393216:V9ugEkty7AD0/0kfMEs4nC+bCxxddPN4644jpXdyIuJR8s:VLEcpD0/rTTfCxxmqIIuws
Score

9^/10

bootkit evasion execution persistence trojan upx
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $DESKTOP/查看机器码.bat
- Size
  
  1KB
- MD5
  
  4a027f0c86eb9614e81af680b2475499
- SHA1
  
  ca79f5c7789ffd01af9c00d20f15b1077e55fc15
- SHA256
  
  6c198b42a0c464d602a4e1a46a7ec19cf2f635ae2b2de3c566f2c1bd57e7d050
- SHA512
  
  169190d40a3d177c51bd4033d6dd543c8170fa8d3ee343a61de3f7803afce472473e712f60bacd4f82c51e24fe01e2936eb7309f22b896bd35f985b272200c01
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/SelfDel.dll
- Size
  
  5KB
- MD5
  
  ca8bcdded6b265453cf68bae8bbd0b3a
- SHA1
  
  9dbe872ac53e075c0954c882d034aa009c733092
- SHA256
  
  299ba97dda721cc9216bda218769eb269a239c8bcf09bd6acc774ff935849184
- SHA512
  
  a9b19434c35236a049036f0153a5c7184c95249fdb04ef7605484551d40a8aba37462eb617e96301cd4363a324f0282e26179ce4b78973ca43e0a63b4dffb33c
- SSDEEP
  
  48:S17Ql+sbsjAowLVEq1y58vzWLDjjZSeJY8JTaTIUNEyTFS7lr0zsBEaSujrt6EQD:v8sgYLVEX4zwjINxS7xg+TScrQD
Score

7^/10

upx
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/rfshdktp.dll
- Size
  
  2KB
- MD5
  
  9410591a148871a6d0629cf25b94526f
- SHA1
  
  be1e8b0fe8327f185136a0d2460a68f720484535
- SHA256
  
  acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7
- SHA512
  
  465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0
Score

1^/10
behavioral7 behavioral8
- Target
  
  TigerHwidTool.exe
- Size
  
  14.2MB
- MD5
  
  a6244982dfd17611db5aa64be1d140b5
- SHA1
  
  7c1b3d4dd86459857d0e73812276e80ca83b260d
- SHA256
  
  fa0dd508bd819d5a96b8caf7c2ca69033ca74005ce830f432b012a21c37ab5d4
- SHA512
  
  0f5c22eda3da555037016c90f8ca510db9bb9fa405c1dfca8ba31088c461def47c25d12ac55e408f6e8c352f0c01bf65ef158d1d6dc5d3e7c5fcf160c17fb754
- SSDEEP
  
  393216:TI3QX2QVPxsAmsJ7YLP/B8tvlC64xlDAEErL+Pwofo9a:TEQ1sxsJEbmIxbDsrL+4ja
Score

9^/10

bootkit evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  spiderman.bat
- Size
  
  254B
- MD5
  
  2969a9253db05b47faa53ad2e95ed622
- SHA1
  
  172357e51f81b513769b39d1c92a25a4e2aa415d
- SHA256
  
  4c31e0eadcc1f277cea1124f4e6337665f2d195c781c556453db8a003a6fec7b
- SHA512
  
  1087ffe43314ce73c930538436a6de89339c21fc455d1e9e540ba06f9452d7d41bf843f181a28e6a2e2717a729222ee11325a3c8f6a4e22099c7abee20e94daa
Score

8^/10

evasion execution persistence
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Deletes itself
behavioral11 behavioral12