7ee418f0f9a52187976c4e7ccaa0325379d6fd8713d1efdf4c243e37434d2b84

Sharing

Copy URL

Twitter E-mail

General

Target

Nursultan_FREE_2024.zip
Size

184.0MB
Sample

240723-sq7vlawhkk
MD5

93ed900c6d39fe0c1daf583760fb179e
SHA1

ccda065d5d46924af9953ccb65a8c6f8a26e0c31
SHA256

7ee418f0f9a52187976c4e7ccaa0325379d6fd8713d1efdf4c243e37434d2b84
SHA512

39e0553731651cc04a65b15821dfc25eacbb6cd25718e30bbfc163d77eebd2d5662f183874a9c4f73090ebb0f888a1253bc7edcb428b85618112513a87ce209f
SSDEEP

3145728:4+w3E+1VwaWyFio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0iK:+0+HwaW7R63VhjePhZlT+pnPWKqMlNZe

Score

9^/10

Malware Config

Targets

- Target
  
  Nursultan_FREE_2024.zip
- Size
  
  184.0MB
- MD5
  
  93ed900c6d39fe0c1daf583760fb179e
- SHA1
  
  ccda065d5d46924af9953ccb65a8c6f8a26e0c31
- SHA256
  
  7ee418f0f9a52187976c4e7ccaa0325379d6fd8713d1efdf4c243e37434d2b84
- SHA512
  
  39e0553731651cc04a65b15821dfc25eacbb6cd25718e30bbfc163d77eebd2d5662f183874a9c4f73090ebb0f888a1253bc7edcb428b85618112513a87ce209f
- SSDEEP
  
  3145728:4+w3E+1VwaWyFio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0iK:+0+HwaW7R63VhjePhZlT+pnPWKqMlNZe
Score

1^/10
behavioral1
- Target
  
  NursultanNextgen2024/OpenAL.dll
- Size
  
  1.3MB
- MD5
  
  0f163156630cb64fbf0d0e35d73f1ea6
- SHA1
  
  3e61ac1236af119a550df18a403b2c65b5483dd3
- SHA256
  
  29bf4a0be8d6fa2c8e6f17cf37a2f94b61209bdc446052b239a2d8b44c624c78
- SHA512
  
  8e2524a10739caa77d2bfbdfad7228f23ecec681a3a248b6b06faa62647f67593f67c626e9fb7daae95bee2123536e56dab906a8ae84713e64723ebd01606c11
- SSDEEP
  
  12288:3hzRge0QCL6O63uwOEu4DV0cQdc8IH8tXqrQEC7CnkwGhHN8UOTe2M4bVatOdm17:HgySf63uXEDacfwt8hHqiDR30/s6S2
Score

3^/10

discovery
behavioral2
- Target
  
  NursultanNextgen2024/SAPIWrapper_x64.dll
- Size
  
  42KB
- MD5
  
  97ed307c26244e7e845a8e888099eb6f
- SHA1
  
  03c2989f7f633b56417c7831f53aeeb20065f61b
- SHA256
  
  43ca444fb76e71bbbb34b85b8ee6bda6f1cb5c9c29747d480b9dc3dc79435999
- SHA512
  
  155c460544b281c176dc75c497f96f168514b5fae746b9b946c96096558cfe00cd5bbf4eb7132bd5b9ce9836a3bba54d1d8299094ca68b8b42ca7fd5cee4801b
- SSDEEP
  
  768:aGucPfgSPYXYqo3/nDn6lllVsuScmgVJqGPMgBHHH:aG1XgSAXm3PHuScmgCGHpH
Score

3^/10

discovery
behavioral3
- Target
  
  NursultanNextgen2024/assets.rar
- Size
  
  4.9MB
- MD5
  
  18e6e3b39e78a2cdc999a10503ee6c3d
- SHA1
  
  2dcb7265e54a33cc1bbd6b08914712120e7e0723
- SHA256
  
  888dabbf512949d7e0d2c5ad7143b02cdabc16d314f7a3ef2db0eb88843caadb
- SHA512
  
  38049928c7935e00a03f85054b4887d641d087cd43264680573399b0f658b057b07ad3c3f48a7361ad8ff2abeb0694cb03b97fcfe9cb0cbcf257f097940ed230
- SSDEEP
  
  12288:XpaCOXfw0Nf5xF1XzotVVr6RaRaYaOa3aZamaFa4aLnBuNkQib:52fw03xFR02S7H68Hwl2j
Score

3^/10
behavioral4
- Target
  
  NursultanNextgen2024/jemalloc.dll
- Size
  
  111KB
- MD5
  
  726d3ca3bf8bc182bffc9cc126c243ed
- SHA1
  
  78f043b314a7c8573e6fff69dc558cf1126af225
- SHA256
  
  c708bc4b3015403a5240bd949bc6b98df97c0cfcf5a9a269e7999c4726b76cbe
- SHA512
  
  a90bdc4300e3bb72d0e0df072c97cfd380dadfe3e14117616ee9a282865a696b7c5d238363fa472305c936c44449fe751cc4c5ad7e11b85d3a8faf2380a76736
- SSDEEP
  
  1536:/tUU+1voe+krM51raaETSNBh3okitp6TflKE/lyfW04fEL9Y59C6:b+ZUkrMuHTSNBh3okitQj1lyfWSGu6
Score

3^/10

discovery
behavioral5
- Target
  
  NursultanNextgen2024/lwjgl.dll
- Size
  
  234KB
- MD5
  
  340a4e25597be14b9bd6a6c61cfef0d6
- SHA1
  
  c4440d52b24129261e530a55ab87375871e38618
- SHA256
  
  8695f043eccc65091bf8077bbd05281e4ad08081724d2a6d8878f3c8891dfc6e
- SHA512
  
  ee83f21ba058a71af93c35d0cfef4b2a2d97a767aa0d12a0946d0eecae378a24143eac04dc832b06e4e1eab3daee00ca7cc67fbc4b9d337069b0252b068ae112
- SSDEEP
  
  3072:OeJIN2OcGc/dRecVzYk5nC2gc70FmimAYyKr1nBM/UK7MQPUxi9/lo6TAXFjlzXk:DuKz1aYrhA/UK4QPUY92I
Score

3^/10

discovery
behavioral6
- Target
  
  NursultanNextgen2024/lwjgl_opengl.dll
- Size
  
  7.4MB
- MD5
  
  e669283790077343477be2e0a7578891
- SHA1
  
  5b6e41b930aedcc1f6ccd9301448e6c0eacc1315
- SHA256
  
  b11625c73e8ef0f76058b2ef7d7f09dc3453988eba227e9d7b2310eea923d7a9
- SHA512
  
  f81376c9727614d12a1825c71b93024ff9659822f6dc8f660277e85467081e1755ced1e53241d6009b09214c5f7fd0cfab47383bb6a42077757b0bd1cd2fa71b
- SSDEEP
  
  98304:8mg7qz9u16T8R2y1fUv50DKKNUqGX1Y5l533y9SSFr32W3:8vqRu16T8RpfSaDKKNUqGX032z3Z3
Score

3^/10

discovery
behavioral7
- Target
  
  NursultanNextgen2024/lwjgl_stb.dll
- Size
  
  102KB
- MD5
  
  b5ee40662104194eb904fd559d5e781e
- SHA1
  
  224a48ab7ba6fcdbf684ca841d059c9bd297376e
- SHA256
  
  2865f9df4a6635135fe40029e43e76e11287c2deb30e4b023c7acbfd896aca58
- SHA512
  
  35f61a019be990ab65316e03ca6de3691426da1d232d1caf90e0d8dcc3c020a7c6db13207fbbbad74b39b653740594a26a8038c43ce1d478c17090209b75962c
- SSDEEP
  
  1536:CqP4/ysXsu3E2BuY/5dCFegxqN9BBJ5QBJXM+ETV4JJARDeQfLpcI:C5/GYRdfBJ5QBJ7lC7La
Score

3^/10

discovery
behavioral8
- Target
  
  NursultanNextgen2024/minecraft.jar
- Size
  
  36.6MB
- MD5
  
  1bc56c1c09bb5d108365c0992291f5c6
- SHA1
  
  7c47e8db8b527b256520499033f0c39ab2fee449
- SHA256
  
  15788f4491bbaefd419c7a152a2ce35e59ad827218260a10430a2fcf23e30cf6
- SHA512
  
  a283f96cc878a88125cdb1e959f17044ddcb4031e566f4a3273012e4cbfc568004b2a25c54896b104fe0ede950193b518f6be283de260679871e8860ea88c86d
- SSDEEP
  
  786432:J67l/W65D0Dspv3aagZb+1VBy3W8B4YrA2ysrjAAi81iVZV6zihX1:el/94Y93gb+1VAP4YrA2y5AnCZVrf
Score

7^/10

discovery
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
behavioral9
- Target
  
  NursultanNextgen2024/natives.rar
- Size
  
  130.7MB
- MD5
  
  0996f1c0771894aa1bfe7f0aa9da7b6e
- SHA1
  
  e95a44d91e5314d7cecb00d8daa97f44c2a2e068
- SHA256
  
  750ebb269fea4f5ccc14fc842b65dac8c3fafab11b3ebd490740a4b6aeb9be89
- SHA512
  
  41eb66d59ca43215c446cb30d1f70968b32b490d2ec1701b96f669a969c439a6c4a47364560e39cf95f87cef9045c63799c9dbcb6b017243f91365ecaffb7531
- SSDEEP
  
  3145728:XFio95ER6bpdVhje9dhZMKHhh+jV3n5iyWKcLMlESZ8iX/0K:CR63VhjePhZlT+pnPWKqMlNZ3MK
Score

3^/10
behavioral10
- Target
  
  natives/Nursultan.dll
- Size
  
  130.9MB
- MD5
  
  677fade82777815bfa26725e136d3791
- SHA1
  
  3ede1c959e60cca82c44a8124eba232b24efb63c
- SHA256
  
  97fd7c6ad118abc2af2b5454c7aeae413ecd21dae7be66830e30b5dd09d6b1e4
- SHA512
  
  8b005413ea6b1163ba056cac618012513abe745505ca50df0d145666cf2deb6b4d0db132b352cc7c62538b9295aefb83fa200492143487be83cc7dd3dceeb346
- SSDEEP
  
  3145728:sxez3Uijs5lAL/k13DD6Dw5jIDjjr2n0JBM5b8A1Ks6:s631js5l+uH6DwjIDjjc0UOA4
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11
- Target
  
  natives/OpenAL.dll
- Size
  
  1.0MB
- MD5
  
  a21338306c8027ebc459c57db8459777
- SHA1
  
  dc8f7a5704164fe3dff3631c326bab7159a9358d
- SHA256
  
  1e128050e6ecd9da7a030f76b24d93a1dcb7de55b02d80cd2e2683818e895b5a
- SHA512
  
  eb80fc1924985db488175ee87389cf8ce7e851f78370f339a77ff09d7323ce5fee2e63e3562d299a6436a4d5f31cce0194fe2d1c9c4cc47809ba6d3cfb8a47eb
- SSDEEP
  
  24576:Xr0+fjUIVeMqRF/HuYDstAyAS7vUipuBuAEgFpti33Ja:PjF7qRF/HYrZvUnBuAjpti33M
Score

1^/10
behavioral12
- Target
  
  natives/SAPIWrapper_x64.dll
- Size
  
  83KB
- MD5
  
  214a0bc5ae5882495d94f7779d64b323
- SHA1
  
  c4a293116e7531d950db2d5ea737e61a9912b61d
- SHA256
  
  a8b701f1ed640bfc7e842f9bc07dd493fad3284f15bc1fa9dfc15371733d6326
- SHA512
  
  0da432d50569f753c0c9831b8854732c0e23fb382ef36d17a1d460e8e4c431495ce0358cc658da87d19e39c58230370423a58adabdf3f92a578a2279d84a7e58
- SSDEEP
  
  1536:/0tGA00KTHlHZeCbxnnQOzAGg1wsWjGpRsBQ+8/iJyzfGdc9dlVkloExc:/0tgTTFHZj9nnQOz1I0GpRsBQ+8/iJyZ
Score

1^/10
behavioral13
- Target
  
  natives/glfw.dll
- Size
  
  347KB
- MD5
  
  532f9686b0b55b3d7cf9f6733f29ba28
- SHA1
  
  9d95a8f52cbd48ab87937714eb4fd2129ed10f0a
- SHA256
  
  7cc30e89f7fd61ca8532b4ecb9e05598cf426d0a336bc382a128e28b824a8962
- SHA512
  
  6e6fe022238e69565fed6cb85fa74b913aed187487da4133a3e14b7eca230bbf5d70c8ab88d02b15e68a0a10549130ff2b0f2eb7d85ef3af8f92218327cfadfc
- SSDEEP
  
  6144:BzJVXAXWofCvG4AnlKVGb8Z7ESBI5yTAdj:BzJVQXW6CvFAlOxzG
Score

1^/10
behavioral14
- Target
  
  natives/jemalloc.dll
- Size
  
  248KB
- MD5
  
  cdcaa2d4874a0aaab526c52e1fff2fea
- SHA1
  
  8a6eb00b934da6c97b0dc9d2dc321843076c8987
- SHA256
  
  b147a3cc1fce8a514a558a030fe647a4a91761769eedec1c1ca2be1cd712a9e8
- SHA512
  
  270ae883818c2cea891c3efae717aa3f455c902721ad80441b0f2b28e58bf9aeba67bb1fb65d76f20d09a4c937a089ee1018439b3815b9fcdb7d7fdcce704853
- SSDEEP
  
  6144:5ISPvZG+86Mzlpb2mnk5uIXhy3hKT4W5i6wb:5n86MppbkxwKMb
Score

1^/10
behavioral15
- Target
  
  natives/lwjgl.dll
- Size
  
  439KB
- MD5
  
  310adc26c92b020fb6d2944092d81312
- SHA1
  
  d01410449d2402a952e9a6063699f1868196883f
- SHA256
  
  207fcf6f27e60600772d202f52ba00edcd085048da30523d3ac03092dd30f873
- SHA512
  
  db4c6f1c8accea57ad395be51f3fd673cd5577b955ea5051ffd2269c1fa62437e18753104499ecd0af954fd5fc6a9478a13f499f68dc1e12295823f7120ede2d
- SSDEEP
  
  6144:02gUXvUg6HVz/8rCkEZK+rY1ELoR18+D:02gUXvUnF/m8VNkR3
Score

1^/10
behavioral16
- Target
  
  natives/lwjgl_opengl.dll
- Size
  
  333KB
- MD5
  
  780ed18868c28c0c249379982ea3297a
- SHA1
  
  8e9836dd0d1691356db654aa02533ad80e9bf52c
- SHA256
  
  92aec0f2b142a56ad8f361919ee0e6b387c92269efc9645071db6561ae9b6324
- SHA512
  
  430136fa22df4753c460ba4f3bfe18f9be1b1d0f0b59deedb9d5ba1e1db54ae5da3a74c3951eb59ae0b8760b5b6806373a76811c5b6f69f18bd966978f5d0e1f
- SSDEEP
  
  3072:4LVyef0be4PP+OI7RSW3Dm/W99vMdvBAoF/5OZX2lh2mH3+F5Tye:MVrQnXrW3iWCaZeO
Score

1^/10
behavioral17
- Target
  
  natives/lwjgl_stb.dll
- Size
  
  488KB
- MD5
  
  236817b9ba4f101e25518f1158b7691f
- SHA1
  
  8b047fb3f6c31946fe33157e7912ac31595cd3b8
- SHA256
  
  64b424ce5142ce23b43e2e2bc5cc8543add7c0037a151b279e4e17aa7f7600a0
- SHA512
  
  bc5624cc4b08f75247ff6c53f737be9938199273a45065a8fb05b6057aa7bbd1a39a1b59adb86d952a2680080dbb1ef3483a8e054029f0bf62395e0c551dbe9c
- SSDEEP
  
  12288:kJ3JRsrmLj3DyaVfBrWFWplDFRWeotDqR:UngmLTDyaVJrWQXDFgeUqR
Score

1^/10
behavioral18
- Target
  
  natives/lwjgl_tinyfd.dll
- Size
  
  209KB
- MD5
  
  5dc7452c51330beb7a178d7093cdac49
- SHA1
  
  ec0fd8007afba6697d5b3b8249b5be27096a0ce8
- SHA256
  
  696a87865bf27f2cb9bc866e6d75e1a4ee3e8c469180cb9f8ebb90a2af876d10
- SHA512
  
  a671123d7ea2f5dd2f307e19627b456b7a1fe62920c64cb08fdcc4be5f0ba017c5b72a0e9ba428fa5996a82584e039818bc41051b7e883d70252b69926f82716
- SSDEEP
  
  3072:7+Oyz6WBIDhWW3gDYP1EKvqotQZGXNKSMYghpYCS1DQmdJQFACZ1sai3Uzz2KC:7+zxShWW3gDYtC7cXfMY63S1ag/bK
Score

1^/10
behavioral19
- Target
  
  NursultanNextgen2024/rar/UnRAR.exe
- Size
  
  494KB
- MD5
  
  98ccd44353f7bc5bad1bc6ba9ae0cd68
- SHA1
  
  76a4e5bf8d298800c886d29f85ee629e7726052d
- SHA256
  
  e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
- SHA512
  
  d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
- SSDEEP
  
  6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
Score

3^/10
behavioral20
- Target
  
  NursultanNextgen2024/start2.bat
- Size
  
  2.1MB
- MD5
  
  348b560da17e0e6c18041dcfa9a0d6f5
- SHA1
  
  baf2cf3e5ab0b0ec56dcc99cdffb2a3f8cb46416
- SHA256
  
  d268c873f10effb233f91d4f27c324c3d2a7431731fde4186ee440e12e4d4583
- SHA512
  
  cd9e7d4b8b42a59e7cf1a3f75e38a415d5c51b255cfa954abe39d900f4bb295db7cd4037c0376d829c704d7f8272d4efc33fb6bbdc1b4265f1b6288370419aaf
- SSDEEP
  
  49152:lIEFyUT+YTWC+m2s2qGYDJLNVk7evxE09WRQ9LX5E:LFyUT+2DmsnDPSavWpRQBX5E
Score

9^/10

bootkit discovery evasion execution persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21