Overview

overview

10

Static

static

7

tmpfile-ma...r3.exe

windows10-ltsc 2021-x64

8

tmpfile-ma...ly.dll

windows10-ltsc 2021-x64

3

tmpfile-ma...on.dll

windows10-ltsc 2021-x64

3

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...rm.exe

windows10-ltsc 2021-x64

10

tmpfile-ma...ir.exe

windows10-ltsc 2021-x64

10

tmpfile-ma...sk.dll

windows10-ltsc 2021-x64

3

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...fe.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...OR.exe

windows10-ltsc 2021-x64

3

tmpfile-ma...r_.exe

windows10-ltsc 2021-x64

8

tmpfile-ma...32.exe

windows10-ltsc 2021-x64

10

tmpfile-ma...63.exe

windows10-ltsc 2021-x64

3

tmpfile-ma...64.exe

windows10-ltsc 2021-x64

10

tmpfile-ma...up.exe

windows10-ltsc 2021-x64

10

tmpfile-ma...ox.exe

windows10-ltsc 2021-x64

8

tmpfile-ma...it.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...ox.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...er.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...te.exe

windows10-ltsc 2021-x64

7

tmpfile-ma...ck.dll

windows10-ltsc 2021-x64

3

tmpfile-ma...e2.dll

windows10-ltsc 2021-x64

3

tmpfile-ma...us.dll

windows10-ltsc 2021-x64

7

tmpfile-ma...7I.exe

windows10-ltsc 2021-x64

1

tmpfile-ma...8I.exe

windows10-ltsc 2021-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmpfile-main.zip

  • Size

    87.6MB

  • Sample

    241202-tmhlza1nez

  • MD5

    762150d85cff9faedfec11d6676d4b04

  • SHA1

    cf5bd423921074fafb4375bdc1f1d2327b4f4475

  • SHA256

    d6c2f953a4c4b2f7bf58378855bbc3d38c1b4d686118ad899540e5778413788d

  • SHA512

    64ad5327c7675f4ab591992ca36877b300da6d5a6fc76f7c51cbc0c47134810cc6dc3ee012a20ed496b0c6ff8755d271fc5441dd97ac3bc36d19caf3712f0719

  • SSDEEP

    1572864:jE+BrCAYhXLbRX3KemYimAv6k282KHJzNXmbb7JwfMnwJ1rJGAINeXA+0TR:jE+Brl6XLblmYeTLNpNmHq0urJNI0X3Y

Score
10/10
bdaejecaspackv2backdoordiscoveryevasionexecutionpersistenceprivilege_escalationspywarestealerthemidavmprotect

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Targets

    • Target

      tmpfile-main/0000000r00d000r3.exe

    • Size

      4.9MB

    • MD5

      340753116751ef6f5212667501a0e562

    • SHA1

      ad4d25b43964c1c54accdcbe97a3f2ca80d15894

    • SHA256

      b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18

    • SHA512

      d9564e38ea4000c16ebacc4a4b95925c8998d2bce33b3ad7bd0aa0b220d60f372d798591f4365b1271085036055519e4a94afd47d51ad5a2c6002e1f54ffc2f2

    • SSDEEP

      98304:w4KoSKQ6Kob7IdoOPn49MWTB9z2OuVIsFx6fZPELW4sF+JKcNWdZRM9b7:wAXQFob7Idj/4VTbaVIsSBfFoxMnsb

    Score
    8/10
    persistence

    • Sets service image path in registry

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      tmpfile-main/Deadly.dll

    • Size

      2.2MB

    • MD5

      1f7f91db0a0f706a3f7d44600a421a93

    • SHA1

      eafbe3ecc407d626825b66efbe455cbf973d7cc5

    • SHA256

      e36a5bdda244a3b37f6f1f714c2d0944576c1c3dae67ac0b68663bfbce2139ad

    • SHA512

      56d1859aef530307d9ecaf77ea38c54faef7b1628e377152ad89302904b049d6a37becbc46efa1a82fd73d2df6f62822c6e43f12085f87e344fe95e946645c2b

    • SSDEEP

      49152:cuBJqcIdVoSwfQiBEFwm2E1ujer6Ci53EyV1aleyuqO+ctMZYxOm:cPTPMje3TeyXctWYx

    Score
    3/10
    discovery
    behavioral2

    • Target

      tmpfile-main/Dragon.dll

    • Size

      720KB

    • MD5

      92b359433130842cccf2a49f58a57a93

    • SHA1

      9e4f66544adcf9e3ea125fb3efaae3dd004f0a15

    • SHA256

      10b6a7c2207a1db4fe6cd70acd8989dcb05769ca944a02166f9475c06c99817f

    • SHA512

      9a9fa9538dc9b815da84c904b97a2b66b73a3f611d9635ebb4270dd3df8ab617e425c1229d25319f85c8e693efe6e1b917a97ce87c86568f9a9ba003fa1f9f8c

    • SSDEEP

      12288:OrUI8Ff3dWZ0PTu2TGE0TY/3K56+OlHFcEh9iqO9reVeD0DFjehnH:OYlFf3dW2PTu2L/3Kc+OlHRh1OqwhnH

    Score
    3/10
    discovery
    behavioral3

    • Target

      tmpfile-main/ExecuteSafe.exe

    • Size

      1.9MB

    • MD5

      6e91dbece816e2748ee187292f19ea26

    • SHA1

      0a6dffbf7984614164b231026ca67d7c02db34b4

    • SHA256

      e9c1cb3b37a84e3693ccdfbba4d05d845d7ba57695f69954745ec646707b2788

    • SHA512

      58f368e2eefb3b81c89149aa39178e666b2ab112052ad1a56f5671c5d86b3025c5f704b62f75403d8ae2704f743830459255352f61a6d6743605cdc94fe30478

    • SSDEEP

      49152:HvshqUD8pHf+zZtVdSA82wel5b3E6x8eK5P4:gqA8hM7XBwQdU6KH5A

    Score
    7/10

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    behavioral4

    • Target

      tmpfile-main/Exterm.exe

    • Size

      830KB

    • MD5

      4b1fba57411e2fb9756f44a84bd74b43

    • SHA1

      06305226e1d4e4fcca12d83d72dc8a4fe9f4d9ed

    • SHA256

      4001b4e8a309eb8949f827d0b3ef572c79c1b21d96aa4c35436b0930bea8eec1

    • SHA512

      ce491f3fcea8d270351825f0ac8e48994866d728db121b954c0fa2d16d7999d0f898c99b969f75521c5c827bc5437221e707f78e3fb68e70c8a6abd91775f113

    • SSDEEP

      24576:75bRMyb2OEpAoC0HJ0EWRVW4ICikaZo8M:NbRMyb5YP0ny4xiNZoB

    Score
    10/10
    bdaejecaspackv2backdoordiscoveryevasionexecution

    • Bdaejec

      Bdaejec is a backdoor written in C++.

      backdoorbdaejec

    • Bdaejec family

      bdaejec

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Stops running service(s)

      evasionexecution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5

    • Target

      tmpfile-main/Gaming Chair.exe

    • Size

      2.1MB

    • MD5

      9503205a5f7581720f7fa6348c49a93b

    • SHA1

      34453ec11bb30ae10519a468deaefbf3f965fe3a

    • SHA256

      0dca41e17e4f286a420dd2e6fbbd9ad460f1dac1f3de83672fa9de977f6b6402

    • SHA512

      0524cabf5d0b87bf6f34a1c2e2cc3eef85e95e5b3fdd66fc60e5e07e4c0ce7cdbeb9eca7778bae5b4a0302ce822a08ce30c346d62bdbd746e2c8c6c8fe015191

    • SSDEEP

      49152:xMi7EDQljtuC9Ss8k9yi83GMB5rr3KJPjFJa9Ndcs8Mcs8Mcs8Mcs8M7Lbr7Lbr6:xBYDQ1th9SVk99scB

    Score
    10/10
    bdaejecaspackv2backdoordiscoveryevasionexecution

    • Bdaejec

      Bdaejec is a backdoor written in C++.

      backdoorbdaejec

    • Bdaejec family

      bdaejec

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Stops running service(s)

      evasionexecution

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral6

    • Target

      tmpfile-main/GasMask.dll

    • Size

      1.2MB

    • MD5

      6ce564c9e9414e30efa98cf2e89dce85

    • SHA1

      24995a42ea796bccdd658da27850599c5f766400

    • SHA256

      9cefe9de454a473b63b9b017fde5cc8943c4a66843bed116e2e18bbbb53152f8

    • SHA512

      34c64ea75629f1fb99c90ed2cedfb058aafa7b55f706dd28c430bb73a4c441330c69cdd254b83aa8ad7f81717d874f783a77bf08f788f1a4fdfd08d1dc6342de

    • SSDEEP

      24576:F0a5aucUW5js7kZECTZEuGKFNNW30ZzOmXVzS:KZhO9CTxW30ZzOmXdS

    Score
    3/10
    discovery
    behavioral7

    • Target

      tmpfile-main/Hybris_DeadlySafe.exe

    • Size

      5.2MB

    • MD5

      92ec446588b008d16d3c0257b211feaa

    • SHA1

      35b24b8f87d2e360534711d50c444b37fb372ef3

    • SHA256

      152f9fd249079ca448ed89a219de8ccd4eb8d351a525fd39f1cafde3e95cefd8

    • SHA512

      78ccb2692a6d3cfaa8c4868030ce66cc93f374a59d5350994ee868f7c00bcc63595979bc6d1e05370a0a26925e799dbabe0352f663a13a732d891eaa2101dd1a

    • SSDEEP

      98304:z4b1yOSHUKAt3HppO1mPCQcrZdRbqZJ70GXTCKFUxvl+dOw0j2p:mo1At3HppOwqTZTbqZJ70SCNl+dOw0Cp

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral8

    • Target

      tmpfile-main/Hybris_DragonSafe.exe

    • Size

      5.2MB

    • MD5

      62d9c2c02adf5c6d0fa9652c9e393a6c

    • SHA1

      c52f6dc02253b89e27f4ab5cdca547a03fd3d174

    • SHA256

      e0c9b189665db1472fdd883c9cdea327514e05143ddb2db54ef5aaa52a6c8ca4

    • SHA512

      108d73086df770be5721a4d3ff2922e0251e22c685c6914b60a6124da28019a92ff0868861076e9b80d231c6f2a79cdbb9e8fe064fd8d248782b7d4d3ae57feb

    • SSDEEP

      98304:Deox05aqx/R+IelPauk5/cJADgYKsRr4dk9nUNMfR+JMgMV2:uN9R1e87HHZFnUN66

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9

    • Target

      tmpfile-main/Hybris_ZeroHackSafe.exe

    • Size

      5.2MB

    • MD5

      0e588abf4f1ca1d91047449253e6b7ce

    • SHA1

      ebb7342e345cea5e68a2ad7112de465586921796

    • SHA256

      e073c4d9b3995dcc33e8fc33e9c02af527c70937b1c946397c83bacfbed065af

    • SHA512

      06fa2d3d20b916d8fa652df970a382cdbaa508ba458272e4b26e135ec3d051b89faa4541540e7d348c605618897439a27e25d94f30818c3f08839538128888b9

    • SSDEEP

      98304:vFiIUy06zTw91KS5WAV04eN/oEMqUKucAXix9msJcszLn:vFhU91KS3e4e+EMqU1MECcsX

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10

    • Target

      tmpfile-main/Hybris_gamesnusSafe.exe

    • Size

      5.2MB

    • MD5

      17fc0571c8eca741bd868070125a9269

    • SHA1

      245f3fb7c21a7d94060cc77026c8dd9702596c8b

    • SHA256

      e6d9bda848025b550e4360cffb1942b5e3d73277958739c78689131e512644ab

    • SHA512

      6731ee46aabcea6e9aa14328f5781a91b69a9f6e2b2ba72f7c4a1e83a307ed4be831adec1d7806f45c9e43a55537f79f9260e2bb621782bcc3a2b7fc955559bb

    • SSDEEP

      98304:4T7G9lRQ2jnhuaEYXvoMmYC9IC+LaXrLSecpl1rlHGA5dStV2kqr1u:4TMbqYXva9VHSPX1xmAGAhu

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11

    • Target

      tmpfile-main/Hybris_vbrSafe.exe

    • Size

      5.2MB

    • MD5

      f5358698ae0949d99870b3e8cfb88714

    • SHA1

      c859fb713a81637b4f9544f5f82bafad0ed8267d

    • SHA256

      2aa1e753efebc1839470a50de3050e312b175658d00ac7bb80cb211ab36e4f34

    • SHA512

      54c29119a301bcecd6b2ebe6b5924b5035779b91273cf7f8e1280de9d20eb1ddedea0644f9bf8504df51911f0bc46d6a1d3eb26d0a1032949ea742037313fd73

    • SSDEEP

      98304:Xr9zasaO5aIcOXl2CPS7C0sfKzbs596TCO/Z0IRvwQuR0lU:Xr9zaaPPSm7fgbiPO/iIyQume

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral12

    • Target

      tmpfile-main/KOSTYAMANIPULATOR.exe

    • Size

      9.7MB

    • MD5

      21f26636a39c0e60ab5053fbf82df5a9

    • SHA1

      c7b1b2e60837e773de6df6eba4a73d658f1937f8

    • SHA256

      9ea24fd5d0243dd41cfedf445bbd328b04ab2f21917d1b93fa2333687006f219

    • SHA512

      5840c5f190ae5732f16e529563c51215f2be5f03b7194abb1b480b9c8bb7cf2e24851673b7c6990dcd8b1907344b0863e6aad644259010118d314fe7aa6af7ea

    • SSDEEP

      196608:FZeO36tXOGEjU2+6T8N1/lCw6fUpxgJcgsTqMXY:FZeOMXObyS8N1WfUpEcgs

    Score
    3/10
    discovery
    behavioral13

    • Target

      tmpfile-main/Launcher_.exe

    • Size

      10.8MB

    • MD5

      71ab17e8e24d818510c17b23827f48c4

    • SHA1

      7ff1e9e367d9819e619004284284148895f681e0

    • SHA256

      b2d85cfe08783b236f83e8d47c626a7f6408eb1ddeb04027b08231c199224dab

    • SHA512

      92249503c2078a0437e6d9d91ec70d6a53785a93064b1b938a2a9f22221d22ab06eefa01b801b0ba2474090100efedf87a4f402386033bb173c020fdacb54766

    • SSDEEP

      196608:/FpWkqF/+URVdm9Vet6SrsoU5EWJiM7/noQhtN0HHSkrqGicAja:9pQF/i9VQ6SgLawH50HykrVis

    Score
    8/10
    discoveryevasionexecution
    behavioral14

    • Target

      tmpfile-main/Node32.exe

    • Size

      366KB

    • MD5

      31be6f6a2cbf1c49790b490df463500a

    • SHA1

      878a2fee90a2ceb49213a5b5742499ca8e14fec0

    • SHA256

      6d4222db12dd717bef62cabc134fbbdad8033767780eeb6d7322a38b8a2a81de

    • SHA512

      8b3c2e96ee85502d4ebd750e94397915370f47543cb7ce0c0b598407319387727678daac28dd843f0d61685b83fb8597cf473091774cdf74cdc9dd98f9a06d37

    • SSDEEP

      6144:NClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDW9WkkHp683KX:NUolitMIaAFkJ6

    Score
    10/10
    discoveryexecutionpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15

    • Target

      tmpfile-main/Node63.exe

    • Size

      13KB

    • MD5

      f04105a5ee0d0b440ab470546ac95400

    • SHA1

      64cd0a16d842065336eb2e47f9a2a04339f187fe

    • SHA256

      8788e01aa0ff4f299112ce04501a23d241522d8abe9663bfd09487adc8322d10

    • SHA512

      fa5f41b2b0ec3c14b35b980147c40e7c1afd55729ced4280a70819a278dec265c7f37fe0faf69a96ca09a92f5e77073e54acf3dfd37017b69b928ae42148adce

    • SSDEEP

      384:8TzzCX9HSjnpYNLLt3rYKHzMr2X1Vl6fnr:8Ta9yjWxxzg2X1Xk

    Score
    3/10
    discovery
    behavioral16

    • Target

      tmpfile-main/Node64.exe

    • Size

      368KB

    • MD5

      47fe2649cc2325a477fce08731aeb716

    • SHA1

      268abf2cceac62263fe040dc40b8b4b9aa3592da

    • SHA256

      d3808b41fe847339d9d69eaa05a5c7dea072b3e6325127a53b54c0d5e102f49b

    • SHA512

      173bd39f32dc4c95309e8e23a33542f92bb1c22459be30e47b52ab92827f418c7ba59fd9b31606f7f40824366e949e7de89a851d1acb8425bbf7fd607632e0d4

    • SSDEEP

      6144:dClTCNaC5liBrWdzoRQJx9LDmaAF5kDERQp+QDN9gkHp683KX:dUolitMIaAFkh6

    Score
    10/10
    discoveryexecutionpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral17

    • Target

      tmpfile-main/Porofessor_Setup.exe

    • Size

      2.5MB

    • MD5

      8a19e78bbcb60ea27e0294b197401aa5

    • SHA1

      049cd6a13a45c99d2a902fb98f90a6c229946482

    • SHA256

      30a808ece805c7265f7db8bb5a43fbeb3bfdc1b0a460e2b6739261453cea62b4

    • SHA512

      0b011e2eba7dfebbf26c380323b6de550cedf38d9f01f1aae1e15ef895013ba909afc1bbcad4464370b1ec0ebd607aeb5acc96e0d015dc67de43ba68435045ba

    • SSDEEP

      49152:QvYTdtKEj/ol/08eXoRIs2PjufadJk+Zl11k56gOz02Y6N1gWb:AY5t7k5/0orrfad9j1kwTo2xA

    Score
    10/10
    discoveryexecutionpersistenceprivilege_escalation

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      tmpfile-main/Roblox.exe

    • Size

      28KB

    • MD5

      0e72d0a7e749406589ada8a2d6964fea

    • SHA1

      7b827c89c45fbde9abfd5b53346e233e59a386b3

    • SHA256

      7b65d90fcb1d3c0c2c0ae401a3eef7df49c9eb01c6efdd9816d1771b8d51c828

    • SHA512

      5b4df06930d5c510a4c6aefeb53d398b536a6063cfd673e44335f3cc646d8b863a7fb1ede0d95721c715641bc8297104cf93622571e258084e30cf66155e9254

    • SSDEEP

      384:JXZNVxlSBBE6ZzHFxwIF9BHOc/i2vfLUlp2wW:JXZZlSBTVfF9BHD/dE2wW

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Legitimate hosting services abused for malware hosting/C2

    behavioral19

    • Target

      tmpfile-main/RobloxExploit.exe

    • Size

      8.0MB

    • MD5

      eaf07d4e566630071f77b47c9659f321

    • SHA1

      712c970925b3b140d430b76541a71200ec261ad4

    • SHA256

      c089d08a2a7574b11b937138cb57ed37c9e153691df0a0bf7e1979e79fb58db1

    • SHA512

      1d2e3254fb38b640767f71db2f8cb6c1bc39dce3a4b1601aaf46ff3665ab0ce1a9410dffc513a4df6b45cbfd01b74155143ed86146befef9fdaf9671534c40c5

    • SSDEEP

      196608:ZYngTqShJZ5QjugEU4f0cwoMwqkz9u9n3pzyfzj3L87ONv9kVNWt/vaUqb:TAjuZNrwmzTkkmyt3aUqb

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral20

    • Target

      tmpfile-main/Sobfox.exe

    • Size

      5.2MB

    • MD5

      a34a8c7f18a484aebc37cc67e86f8441

    • SHA1

      c0fbef5f036d7b4bb1d9d350e24d6d99096f1ba1

    • SHA256

      1f350ddd7b2d7cf5da7dd41b793d1d28642b7bfd4ddac2c278499b2d911bece5

    • SHA512

      e8df773de29f73bf7b1e3915b842abcdb3f42185cfb632b60ae1f5c1fcf9cc0cad57d3f54f79f9ce6c94c9691e3f72e66efdec4f63ba5f5de908f318d2d9f9ab

    • SSDEEP

      98304:j3GIi+v8hp0EI/mbrVVxAnPJ6hR0O+vk3nVcJGOLS:j3GIiMhubJVeQ5+k3nVYLS

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21

    • Target

      tmpfile-main/Spoofer.exe

    • Size

      1.4MB

    • MD5

      8a3a208004bb6c2538c5b1f7b3a9abc2

    • SHA1

      7df25e02fe6f0c38a4cd9c413d4dc9e43712e23f

    • SHA256

      b21dcd28685971bccad0f04e828a95770e7eb93c9c44ac8463eac0577adfe37f

    • SHA512

      d1ae7d0a274c82054ba18f010f921e51eb7ef4a98ae990490da5cd49601ce6c089cc0f1a5b4a6ae7dc32333f5760fca6e3e737af350695730d847b3e341a8247

    • SSDEEP

      24576:5Axa2A3lBPp1vXmwsSgtJ+HPstaTHpOqwzzFQeaqduiI157y1P9cFPCegnEz:5Ak2wX/m4gtJ+U8JWzzF3aUXI1l8cFa4

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral22

    • Target

      tmpfile-main/Update.exe

    • Size

      2.7MB

    • MD5

      aaafab0fcfaf53ca2a23ebb9b53e6c51

    • SHA1

      a35f29165722d2b1d6d8ba691b6770bbdfcc80a5

    • SHA256

      da800c15bfc6dfb4558e67b8383604d086c7368150930c7bec6236fb423d46e0

    • SHA512

      f9881fdc4ec03a862bc21a2bbf1d0b3bc1b65fdf84da6f17406370fa563920a065de3c03e81c38fe3b78529d8b518544a58a7d7270bd4167336f186cdccde7c8

    • SSDEEP

      49152:tbq9bRv21rfnG2G3yrzbYEDpN2hqWyJB4BKkgrV6Sd0hnB+kn3Hnx:ov2JnG2Myrw6NXJaInrVVd0hB+k

    Score
    7/10
    spywarestealer

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    behavioral23

    • Target

      tmpfile-main/ZeroHack.dll

    • Size

      1.1MB

    • MD5

      1871dae37e3c93cc4adff71d99081139

    • SHA1

      4e37bc7b4ba825676a05d0a58757b07448e0a4dc

    • SHA256

      b5e269b60c138f5668eeb6f6eb24f195bbd32ea753b66657594755c359318099

    • SHA512

      ada8dd72a6643955b5ae5a72f0174ea6eefac2ccbd8282f1808d9efc8fb2e0b648f6322cd35e1fac44bebddaf1221139ee4d5e2769900fc22a261772ea63b937

    • SSDEEP

      24576:+oqduRagFgyx/XWN8dISc5bNvchYeNQdEfSj+vKTm5FaEugpDe/7xz46k847j3RI:+LvgFgyVWN8dISc9NvCYeNQdbKvKTm5S

    Score
    3/10
    discovery
    behavioral24

    • Target

      tmpfile-main/dutchlove2.dll

    • Size

      877KB

    • MD5

      da1227edc1b7dbbc02d45a8e290b786a

    • SHA1

      e9e6bea6d6cd1aad2af70288668f2d17646dfadd

    • SHA256

      58a2e2377a202897ae58bf3e2c44ca01270414cc42aadb50ab4969fed80274af

    • SHA512

      2ddade3c5a6b5a7f8890426520cdb7fc9c816ef2c45ffaf41142f517e7304ee2a871ea660c3a74a51925b5fdde49687af8be8efe9a88b2f6b540ead05a645478

    • SSDEEP

      24576:teMFIpoLgu6HlWIH3Uz3zuHH8C1HtVDQTFBPliygbY3KJ:kMOJhHCiHH8C12BPEU3KJ

    Score
    3/10
    discovery
    behavioral25

    • Target

      tmpfile-main/gamesnus.dll

    • Size

      1.8MB

    • MD5

      3088891cdd2694b0d0e5af074e367e84

    • SHA1

      8f410b3b8f1014494cf3ccbe25d05fd1830ea51c

    • SHA256

      66249be6bd9a6618b1378a7158cbc8940db32ee83c359023a7409bd7345b291f

    • SHA512

      f6fda6b31b6539fbfd7fb5033871831ed33503da73fac55fc089b5f650e56d479c7a6d855b78021b75efdcc9d4718d543740c5b7417eb4c33a0036aa48d203c1

    • SSDEEP

      49152:+HPfTkyop1sgc5zurwWMXphZk++FXalPHAhhrGspv7CsLIaR68:+HTJk+p5zu8WKl+ZSygspvJIK

    Score
    7/10
    discoverythemida

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida
    behavioral26

    • Target

      tmpfile-main/stTfuo7I.exe

    • Size

      4.9MB

    • MD5

      6f179cb4399501b0aef6bed87067c461

    • SHA1

      8cdfeebc4075540d4eb80403aab1c412ce1ff483

    • SHA256

      caa64978428e81f087a0407398a5a0d47c1d5e6e438f220c2ea34de3aa0bcb0c

    • SHA512

      20361366df3d0fe038a17230ab8002e784f5d10026375894b223b69cfde0c7885cefd294aecb5870fcd6dee12c5a427c98b0e086f96ae6c21120b2932893d2e2

    • SSDEEP

      98304:Mxv9MTqUi2Rg7yxivn0jokds41Fh4bpgxAYDaRDzHM4TOFRAJSNfcFXN/D+HxowG:2v9mfi866AYafs4iITrmnhpDBzvTKS

    Score
    1/10
    behavioral27

    • Target

      tmpfile-main/stTfuo8I.exe

    • Size

      4.8MB

    • MD5

      e9f9aaf1b165f0e1a0310cfe04b7deaf

    • SHA1

      512b5d16ccc0a16619e69dda46382f346c1b1d51

    • SHA256

      9ab3067a40f40f1e171a5ae3cd036ae9ef32d8cabb0e06502e56fe6df67d6feb

    • SHA512

      d2940b5f86e731dae7df1d5f69cc138e03b50a19ff77843fdf61d92035f64449ba3e8948585cfeca709d871ccfd51aca8f734adc09dfde14c8e27d4c972f4d0c

    • SSDEEP

      98304:5F+ssBEhz9Nq5s7ydXteaDJ/23nPl2ptbzfoHvoimaTFAeXzl:5Xs2Ju9eaD0tGHfoTmE/D

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

vmprotectthemida
Score
7/10

behavioral1

persistence
Score
8/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

Score
7/10

behavioral5

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral6

bdaejecaspackv2backdoordiscoveryevasionexecution
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

vmprotect
Score
7/10

behavioral9

vmprotect
Score
7/10

behavioral10

vmprotect
Score
7/10

behavioral11

vmprotect
Score
7/10

behavioral12

vmprotect
Score
7/10

behavioral13

discovery
Score
3/10

behavioral14

discoveryevasionexecution
Score
8/10

behavioral15

discoveryexecutionpersistence
Score
10/10

behavioral16

discovery
Score
3/10

behavioral17

discoveryexecutionpersistence
Score
10/10

behavioral18

discoveryexecutionpersistenceprivilege_escalation
Score
10/10

behavioral19

discovery
Score
8/10

behavioral20

Score
7/10

behavioral21

Score
7/10

behavioral22

Score
7/10

behavioral23

spywarestealer
Score
7/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discoverythemida
Score
7/10

behavioral27

Score
1/10

behavioral28

Score
7/10