General
-
Target
2025-01-08_359fb026dcd789a53a996a337e671b12_avoslocker_hijackloader_luca-stealer_revil
-
Size
6.0MB
-
Sample
250108-jlhkgasphk
-
MD5
359fb026dcd789a53a996a337e671b12
-
SHA1
18186bdf2bb3688ee991f0a59beba4402f244fe2
-
SHA256
1681858e53e6eeb9694c3fffa3e57d1529222aaadda29c95bdf680ef994a2684
-
SHA512
05d55b65f247b76b9a882231dcbfe4a8a36e0848ee2e8561cc5b1b85a4a33b50bed2fdf7a687037f4fda3b4315e06797f8da93370f85cb035856a33276aae4a2
-
SSDEEP
98304:D2UoqTB3t4C9R9eI5Bt5kLqh66mr8RV5mw8vGCNy8+ylESkYkr/d6/W+zm:astjeKBtWy665kjD1+OEXdMLm
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-08_359fb026dcd789a53a996a337e671b12_avoslocker_hijackloader_luca-stealer_revil.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-08_359fb026dcd789a53a996a337e671b12_avoslocker_hijackloader_luca-stealer_revil.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
2025-01-08_359fb026dcd789a53a996a337e671b12_avoslocker_hijackloader_luca-stealer_revil
-
Size
6.0MB
-
MD5
359fb026dcd789a53a996a337e671b12
-
SHA1
18186bdf2bb3688ee991f0a59beba4402f244fe2
-
SHA256
1681858e53e6eeb9694c3fffa3e57d1529222aaadda29c95bdf680ef994a2684
-
SHA512
05d55b65f247b76b9a882231dcbfe4a8a36e0848ee2e8561cc5b1b85a4a33b50bed2fdf7a687037f4fda3b4315e06797f8da93370f85cb035856a33276aae4a2
-
SSDEEP
98304:D2UoqTB3t4C9R9eI5Bt5kLqh66mr8RV5mw8vGCNy8+ylESkYkr/d6/W+zm:astjeKBtWy665kjD1+OEXdMLm
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Network Service Discovery
1Network Share Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1