General
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1255285720042442864/1255532278541582336/revival.rar?ex=667d790d&is=667c278d&hm=0add3c927ace34fc380b174a7f51042773b200c8c4c11af02d32165f024c6a54&
Resource
win10v2004-20240611-en
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1255285720042442864/1255532278541582336/revival.rar?ex=667d790d&is=667c278d&hm=0add3c927ace34fc380b174a7f51042773b200c8c4c11af02d32165f024c6a54&
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-