General
-
Target
NEWAIMBOT-_PERSONALIZADO.exe
-
Size
15.2MB
-
Sample
241002-tm6nssvgnp
-
MD5
4ac16c841f3503982341a021726a6ff7
-
SHA1
b32ad8f8e0883c7f786049c03e935d2770c47ec0
-
SHA256
f15e686d612fdab8efd24397caf2423064a9ede0a442065c8806389fe593e0cf
-
SHA512
2242ab4a3c7537a35b051fe216b5ccdf3d262899218e601aa55157ff20cfb23cc4f1637f477b1b94bc4796773fcfb661f9fc1d18aa01ca3bb53b62f266810065
-
SSDEEP
393216:/YSvqCWIqDkgn0HZY9N9Cti2nfOshouIkPftRL54YRJb:/YSyCWVkNaRCE22wouTtRLzb
Malware Config
Targets
-
-
Target
NEWAIMBOT-_PERSONALIZADO.exe
-
Size
15.2MB
-
MD5
4ac16c841f3503982341a021726a6ff7
-
SHA1
b32ad8f8e0883c7f786049c03e935d2770c47ec0
-
SHA256
f15e686d612fdab8efd24397caf2423064a9ede0a442065c8806389fe593e0cf
-
SHA512
2242ab4a3c7537a35b051fe216b5ccdf3d262899218e601aa55157ff20cfb23cc4f1637f477b1b94bc4796773fcfb661f9fc1d18aa01ca3bb53b62f266810065
-
SSDEEP
393216:/YSvqCWIqDkgn0HZY9N9Cti2nfOshouIkPftRL54YRJb:/YSyCWVkNaRCE22wouTtRLzb
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-