General
-
Target
agpsv.bin.zip
-
Size
996KB
-
Sample
240611-z4qa2asara
-
MD5
c87d757caba3b34fd2e89db59bd0e540
-
SHA1
15a70ecadf3c2bb554eb24a5a07603c58a7d091f
-
SHA256
95df6f3e21b9f69fbcb2a412ba0ba4e4c6ea809897274c92ab45bb00c6aaedd7
-
SHA512
39e5e64d7e330195baf170dcbccb25b9b06ed54358e76a5d02f04334b2aa62b70387b28128b17f4b565dd52194f150d4c837d0d29d05bafe08a527c91cf70a31
-
SSDEEP
24576:y/CgXGyENttGcSVvgfo0ilMLKelp+Yeql4iOhJTJ/0EZExpBPtm9ixW3QgMDj:WENttdSVf+QPdc/s9iQmX
Malware Config
Targets
-
-
Target
agpsv.bin
-
Size
1022KB
-
MD5
0ff5ecbe655b0b5781700195d2e8475e
-
SHA1
88287fb8ae38e8b4b3c7dad7ef72200f1ff6c20d
-
SHA256
d85538af1e2ee590775bcf2d6cdd5b757eb4eded381f9a3d3c94c81a52534035
-
SHA512
b3d6e7f0396151265968a3a17b2523e7a8564df5e5332f577791335e3337b4a076971b76485a9bdaca4d181860058e791935e8d459dbfe6f65320dc76bef84a5
-
SSDEEP
24576:SFuFIa6JCDe6/xeB9RC3EXhJcXiWeAu3mBgVLn7PYzEd:Bt6JKd5YHTXTcXu33mBWLn7PYe
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1