8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a

Sharing

Copy URL

Twitter E-mail

General

Target

breakaway_setup_1.44.00.exe
Size

4.4MB
Sample

241119-nvrlyswepm
MD5

11925cf38de9313e87a3980a53ac0be6
SHA1

a9d2e27a4b789fbef8b23e740753b6eb85e65516
SHA256

8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a
SHA512

67bee82ab48cb75d49679060180225ce1c18530a942089b4e9d531849bc087b08bab2a13c9bd1eae758543f82bb1bcadb16981e35b34c6f817a389d1147abab6
SSDEEP

98304:GB1HdkWyGx7qLQx+MAVkuntmGfBgLvr8uN6mjlUtA13WkRdfewG1ha4H:GBrkWUo+MAVkunlEvxllR1bRpGhH

Score

9^/10

Malware Config

Targets

- Target
  
  breakaway_setup_1.44.00.exe
- Size
  
  4.4MB
- MD5
  
  11925cf38de9313e87a3980a53ac0be6
- SHA1
  
  a9d2e27a4b789fbef8b23e740753b6eb85e65516
- SHA256
  
  8efb44d31cb52a7087fd2b76b8650cab8a39616106189fa732f44ea676c6035a
- SHA512
  
  67bee82ab48cb75d49679060180225ce1c18530a942089b4e9d531849bc087b08bab2a13c9bd1eae758543f82bb1bcadb16981e35b34c6f817a389d1147abab6
- SSDEEP
  
  98304:GB1HdkWyGx7qLQx+MAVkuntmGfBgLvr8uN6mjlUtA13WkRdfewG1ha4H:GBrkWUo+MAVkunlEvxllR1bRpGhH
Score

9^/10

bootkit discovery evasion persistence privilege_escalation trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  b7d7324f2128531c9777d837516b65a6
- SHA1
  
  e15e44fc7c907329e1cd3985e8666b4332f4fa48
- SHA256
  
  530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033
- SHA512
  
  829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5
- SSDEEP
  
  192:+kipfAcFT9GlPjP5yIUbf7V8rdawGYiYIRTRGczl6MAW1p2oXO8ham:+VNAcXyDUB3VJbR5l6MAW1p88z
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  c10e04dd4ad4277d5adc951bb331c777
- SHA1
  
  b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
- SHA256
  
  e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
- SHA512
  
  853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
- SSDEEP
  
  96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  BaDeskband.dll
- Size
  
  84KB
- MD5
  
  cda23a2ce0b5adf45ffe01816fba862d
- SHA1
  
  3d10e548c3e074286405597823835c58447f16e1
- SHA256
  
  2cf62afd1bc5aa880e2ddeb3206331353959de4b329eca36fdc8c25c4a1aef30
- SHA512
  
  c39c7a67dd99a8439b7100e72b823e654d708d2776023e6d45d5cf5ab265fd4b185dc2e67b540e75fb00e45c0dc480c52c939fafce15595ec09bad636b96b1a6
- SSDEEP
  
  1536:akh6O1JjABTuOgj4wwQ7N8yPsMyGeqFD:BJjyAkwwUN8yPsMyGe
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  BaDeskband2_32.dll
- Size
  
  20KB
- MD5
  
  4d6e77851b76bf014a0839449ae0f546
- SHA1
  
  7ced0e9bdaab1130e53255fd0828198a9ebb8581
- SHA256
  
  03c45381d7cc87f9bab9084db48344e1addbc6400e9b348eec76760a09fdcf40
- SHA512
  
  8a946e5095f07650c0a4a4dbc860e7457d0325283f5af0e884a9e0bb44f920d7b389f74b59efb3d61462dbaba03d56e01890e62102c2aea6ce42f63c623ea70a
- SSDEEP
  
  384:Y/OIKc5DuZn0eivDoSZTYe7ym87GszOtu8cf:Y2u5I0ewBTk7rOt/u
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  BaDeskband2_64.dll
- Size
  
  27KB
- MD5
  
  05a8856111f44dc232911ebf06963037
- SHA1
  
  32bc0ae743c6b05beae7a58bdf2c8abe2d91cba8
- SHA256
  
  e9bd6f43cc6779b328887d250cf3f67b56375d633f53fd38b549b11156074549
- SHA512
  
  4c3d01c355ccaba32aced45a8bc3ee115a7875bafd2a8fd03cccebf637c7438c5ecce25b1500252532a0512b9fdfe94ec5c3ab98cf4995d1063d281347365e42
- SSDEEP
  
  384:sxcx9US/9jJ2uaqq+ReKVFhcDW6eC1RLIFaIcLyrJ/f1Ol3L6+:McLUWpwOuMdcIZr1NOl3
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral13 behavioral14
- Target
  
  breakaway.exe
- Size
  
  5.9MB
- MD5
  
  1b90da8b29716405565d08d8fdd116a9
- SHA1
  
  e211b215f4d2dd03a8047241bb2fd689baca5c61
- SHA256
  
  1a8ed7a0e13fb993a71d03574b3a54ecc8488c626baa4783de541373bf4e0fae
- SHA512
  
  374284ba521de59cf3ca7bd9aba4bd08f395a8465e56c97d323e712e8dfed0090dac339a85ccf1c93eadec52e69de919626c67d33eff1d6c2e6de285e8dd82ab
- SSDEEP
  
  98304:LGTMC8gmI8WKnNr/tLTP2cDM9UcZwlOj3acHPR9cfTnY:L/C58drlOc49nml+Kcrcs
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral15 behavioral16
- Target
  
  endpoint_volume.dll
- Size
  
  107KB
- MD5
  
  6e4cdc51778d23fdf00fc7e924044721
- SHA1
  
  6337874b23f06596c0aec2e7ae229f524bb37f9a
- SHA256
  
  3ff0389a6153ec10077404435ecaa9bd9b77c4e2eccb60b44eb2a4a4b173d8fa
- SHA512
  
  84e26df4f7f8305fd99823af31b7e464cc19d86ed8f712a1461f6cd7cf4d9c1400cca6626707073795f8f70d5cc5cc1b8b4c11b30bc0e020a5f93accecc92a1f
- SSDEEP
  
  1536:nj/LpdZnsHDTl8HyHMBYMDFL+YPcu2MINUsWjcdeof/NmmYp:PpdZsngFDp+Yol533NmmYp
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  uninstall_breakaway.exe
- Size
  
  90KB
- MD5
  
  be4376d46dde21623943a87c1045ead4
- SHA1
  
  d5effe6f171173123eb7deeb618701571b34ca7d
- SHA256
  
  843dfdb623c613e2b897680b8b6b6265665417fe0ee0f81889ee38d41bd8cabd
- SHA512
  
  94f26bea8737fc2435fae5e38a1ae681317608079ed6e57073b6f3db191a2e1d2ff903897bbcad57ca1a0d7c2444e0c6f6da8bf2e65c4390924191d114952d0a
- SSDEEP
  
  1536:qpgpHzb9dZVX9fHMvG0D3XJWFBruKIfbmx3sF75Px6:ogXdZt9P6D3XJWFduHfixcF7dx6
Score

9^/10

bootkit discovery evasion persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $PLUGINSDIR/UAC.dll
- Size
  
  14KB
- MD5
  
  b7d7324f2128531c9777d837516b65a6
- SHA1
  
  e15e44fc7c907329e1cd3985e8666b4332f4fa48
- SHA256
  
  530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033
- SHA512
  
  829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5
- SSDEEP
  
  192:+kipfAcFT9GlPjP5yIUbf7V8rdawGYiYIRTRGczl6MAW1p2oXO8ham:+VNAcXyDUB3VJbR5l6MAW1p88z
Score

3^/10

discovery
behavioral23 behavioral24