Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-k6ws9seb27
Target 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5
SHA256 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5
Tags
blackmoon banker bootkit evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5

Threat Level: Known bad

The file 2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5 was found to be: Known bad.

Malicious Activity Summary

blackmoon banker bootkit evasion persistence trojan

Blackmoon, KrBanker

Detect Blackmoon payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 09:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 09:13

Reported

2024-05-26 09:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe

"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"

Network

Country Destination Domain Proto
CN 42.193.184.104:7701 tcp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.baidu.com udp
FR 138.113.100.16:80 www.ip138.com tcp
HK 103.235.47.103:80 www.baidu.com tcp
FR 138.113.100.16:443 www.ip138.com tcp
US 8.8.8.8:53 2024.ip138.com udp
GB 138.113.101.11:80 2024.ip138.com tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp

Files

memory/2240-0-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-1-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

memory/2240-17-0x0000000004D30000-0x0000000004D31000-memory.dmp

memory/2240-18-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/2240-23-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/2240-22-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2240-21-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2240-20-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/2240-19-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

memory/2240-16-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/2240-15-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2240-14-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2240-13-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/2240-12-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/2240-11-0x0000000004B20000-0x0000000004B21000-memory.dmp

\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

MD5 e60421fdd78fd5c62f7188055202e055
SHA1 30874f0a03f409231e8b64be2d76ba9a92c82f31
SHA256 aa8bc94c32576e87db8fc327c1103441966380e3e1da30303ce05df40687dd41
SHA512 c348fe342c5299b90da1f325a8a3a1defd6bf0da555af0d5bdfd5f1dde7ac871316932fd9fba67feebf2f31ee6978fc63547d3c3317b9c39f9777cf66608460b

memory/2240-10-0x0000000004B00000-0x0000000004B02000-memory.dmp

memory/2240-9-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/2240-7-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/2240-6-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2240-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/2240-36-0x0000000000401000-0x0000000000666000-memory.dmp

memory/2240-4-0x0000000004D20000-0x0000000004D21000-memory.dmp

memory/2240-3-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/2240-2-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/2240-37-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-40-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-41-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-42-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-43-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-44-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-45-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-46-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-47-0x0000000005CE0000-0x0000000005EE0000-memory.dmp

memory/2240-49-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-50-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-51-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-54-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-55-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-56-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/2240-58-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-59-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-60-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/2240-62-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-63-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-66-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-67-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-68-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/2240-69-0x00000000014F0000-0x00000000015F0000-memory.dmp

memory/2240-70-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2240-71-0x0000000000400000-0x00000000010A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 09:13

Reported

2024-05-26 09:15

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe

"C:\Users\Admin\AppData\Local\Temp\2a6e8c82e7a5129140b7f3b58dfe26e8e6035017397191286a417fdbd1e0aeb5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 42.193.184.104:7701 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.ip138.com udp
US 8.8.8.8:53 www.baidu.com udp
FR 138.113.100.16:80 www.ip138.com tcp
HK 103.235.47.103:80 www.baidu.com tcp
FR 138.113.100.16:443 www.ip138.com tcp
US 8.8.8.8:53 2024.ip138.com udp
GB 174.35.118.62:80 2024.ip138.com tcp
US 8.8.8.8:53 16.100.113.138.in-addr.arpa udp
US 8.8.8.8:53 103.47.235.103.in-addr.arpa udp
US 8.8.8.8:53 62.118.35.174.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CN 42.193.184.104:7701 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 42.193.184.104:7701 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp
CN 42.193.184.104:7701 tcp

Files

memory/2828-0-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-1-0x0000000077674000-0x0000000077676000-memory.dmp

memory/2828-4-0x0000000005260000-0x0000000005261000-memory.dmp

memory/2828-21-0x0000000005200000-0x0000000005201000-memory.dmp

memory/2828-20-0x0000000005290000-0x0000000005291000-memory.dmp

memory/2828-19-0x0000000005340000-0x0000000005341000-memory.dmp

memory/2828-15-0x0000000005300000-0x0000000005301000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iext1.fnr.bbs.125.la

MD5 e60421fdd78fd5c62f7188055202e055
SHA1 30874f0a03f409231e8b64be2d76ba9a92c82f31
SHA256 aa8bc94c32576e87db8fc327c1103441966380e3e1da30303ce05df40687dd41
SHA512 c348fe342c5299b90da1f325a8a3a1defd6bf0da555af0d5bdfd5f1dde7ac871316932fd9fba67feebf2f31ee6978fc63547d3c3317b9c39f9777cf66608460b

memory/2828-18-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/2828-17-0x0000000005350000-0x0000000005351000-memory.dmp

memory/2828-16-0x0000000005240000-0x0000000005241000-memory.dmp

memory/2828-14-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/2828-5-0x0000000005230000-0x0000000005231000-memory.dmp

memory/2828-13-0x0000000005390000-0x0000000005391000-memory.dmp

memory/2828-12-0x0000000005270000-0x0000000005271000-memory.dmp

memory/2828-11-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/2828-10-0x0000000005280000-0x0000000005281000-memory.dmp

memory/2828-9-0x00000000051D0000-0x00000000051D2000-memory.dmp

memory/2828-27-0x0000000005210000-0x0000000005211000-memory.dmp

memory/2828-8-0x0000000005220000-0x0000000005221000-memory.dmp

memory/2828-7-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/2828-6-0x00000000051B0000-0x00000000051B1000-memory.dmp

memory/2828-34-0x0000000000401000-0x0000000000666000-memory.dmp

memory/2828-2-0x00000000051A0000-0x00000000051A1000-memory.dmp

memory/2828-3-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/2828-38-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-39-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-40-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-41-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-42-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-43-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-44-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-45-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-46-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-47-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-48-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-49-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-50-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-51-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-52-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-53-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-54-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-55-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-56-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-57-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-58-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-59-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-60-0x0000000000400000-0x00000000010A6000-memory.dmp

memory/2828-61-0x0000000000400000-0x00000000010A6000-memory.dmp