General
-
Target
RATS PACK.rar
-
Size
129.6MB
-
Sample
241116-wzyvts1fjn
-
MD5
c48b7d922d28f8db63f8b0311324ad39
-
SHA1
61d4526c819904995ba867ae257f149c36ad63f6
-
SHA256
1fef3ffb433d16b566453a794280a2487581fe3d7d17adffeb2bbc75abacea46
-
SHA512
fe59766600a4399387ec58eb3d1ac44dc6b091b96d663d7d4e203a3d30431160a8c4e3df1b53606d06d4dcac04b2691bd585cf2f92588a0cd23b9d8b9656229d
-
SSDEEP
3145728:0yPCzjR/Igf2bh5eBSbcZH1R206JRUc0u:07hPogSgl1x6JRr0u
Malware Config
Targets
-
-
Target
RATS PACK.rar
-
Size
129.6MB
-
MD5
c48b7d922d28f8db63f8b0311324ad39
-
SHA1
61d4526c819904995ba867ae257f149c36ad63f6
-
SHA256
1fef3ffb433d16b566453a794280a2487581fe3d7d17adffeb2bbc75abacea46
-
SHA512
fe59766600a4399387ec58eb3d1ac44dc6b091b96d663d7d4e203a3d30431160a8c4e3df1b53606d06d4dcac04b2691bd585cf2f92588a0cd23b9d8b9656229d
-
SSDEEP
3145728:0yPCzjR/Igf2bh5eBSbcZH1R206JRUc0u:07hPogSgl1x6JRr0u
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-