General
-
Target
EXTERNAL.rar
-
Size
61.4MB
-
Sample
250219-rjbm5stpw6
-
MD5
c8d168da7b8f96cb1d9af018b5794fe2
-
SHA1
b4ad8f4061082292e75344cf19d8ff61c761bd35
-
SHA256
9d1bdbf2d7b18f5cc380da85751468dea9f052f187ef136531d5bd48d723adae
-
SHA512
78eb0a0b9a8155ce6f48d772222d6625d2888b2042ad55aa55454f1544cd180cde383b91492a9cc68184c5ff0551eaea6077ff9fa47ed890ac6f8ebcbc0d25d9
-
SSDEEP
1572864:Wg6JRZNgg4UShYEbHKnHwX2V7hFVbh1ImmyojzAxKX2WDHeZwoO9Q:WDJ7R4UEYErKJnVRVoqKXz7eW/Q
Malware Config
Targets
-
-
Target
EXTERNAL/L-External.exe
-
Size
31.4MB
-
MD5
85b594f27029d0b6f6596e04f6ed88b7
-
SHA1
d1fa0c4df845908be7602d8f42910ee26b6cc804
-
SHA256
3cde26727bba3e8a15f5de379189654ba5fe079d98190147946946b046f47327
-
SHA512
bfc6369264bcf809573ffa85140da687875a691c36ec25dec115ff954e154b0508d69e95182da42ed8a39864db8323bf7f7f66c285cfc75c5dc5237ab294dbc2
-
SSDEEP
786432:W3QmUfZtpjvmyhr+XcDJJ+IMyaWpvhj1T8KkS:W3UZtpj+y142JJ+ILHB87S
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
EXTERNAL/Requirements/Defender Control/Defender Control.exe
-
Size
447KB
-
MD5
58008524a6473bdf86c1040a9a9e39c3
-
SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8
-
SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
-
SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
-
SSDEEP
6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score10/10-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies security service
-
Windows security modification
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
EXTERNAL/Requirements/Defender Control/Defender_Settings.vbs
-
Size
313B
-
MD5
b0bf0a477bcca312021177572311e666
-
SHA1
ea77332d7779938ae8e92ad35d6dea4f4be37a92
-
SHA256
af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
-
SHA512
09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score3/10 -
-
-
Target
EXTERNAL/Requirements/OverwolfInstaller.exe
-
Size
2.1MB
-
MD5
66e3c44515e5eddfdd0c05140608bb3d
-
SHA1
03b432566f443359c195394dd588ca24face2f98
-
SHA256
257d09cca8254d6ee495fb30c596417574effc54084a8bfee6b5e5e5a957de7c
-
SHA512
a18f536e1e75700805cdc47d2e73dabb21d17563a1c20b32feee94779795987486eb652c58adf0fa1d875aaba9d5458b5198f299dc4d4195cb04fc089ab0be19
-
SSDEEP
49152:NnnQYKJxE87vxpsrFpIvFbJo+McPe3ps7DYOcNvxicbs:NntgPN+TIvFby0e5qcOT
Score5/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
$PLUGINSDIR/CommandLine.dll
-
Size
71KB
-
MD5
6d11c677cae02caa249a4f7f35fff112
-
SHA1
b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb
-
SHA256
dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4
-
SHA512
f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857
-
SSDEEP
1536:dOZj9JT17qpL/6ePMqBNzrstoJSkrjbgbwzip3hwm7P+/P:dOx9JT17WPMqBNWAkbwzigmGP
Score1/10 -
-
-
Target
$PLUGINSDIR/DotNetZip.dll
-
Size
467KB
-
MD5
190e712f2e3b065ba3d5f63cb9b7725e
-
SHA1
75c1c8dd93c7c8a4b3719bb77c6e1d1a1620ae12
-
SHA256
6c512d9943a225d686b26fc832589e4c8bef7c4dd0a8bdfd557d5d27fe5bba0f
-
SHA512
2b4898d2d6982917612d04442807bd58c37739b2e4b302c94f41e03e685e24b9183b12de2057b3b303483698ad95e3a37795e6eb6d2d3b71e332b59deeca7d02
-
SSDEEP
6144:GuCInHLhJI4FY/ixjci6ychf8xalGQGtSV41kJDsTDDpBnse6OVxLV/Wo0k:UQL32ikCaUS4csRBse6sfWNk
Score1/10 -
-
-
Target
$PLUGINSDIR/INetC.dll
-
Size
34KB
-
MD5
87050902acf23fa5aa6d6aa61703db97
-
SHA1
d5555e17151540095a8681cd892b79bce8246832
-
SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750
-
SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab
-
SSDEEP
384:5v1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJbIYiPWMirgAM+o/o:51AvEs3HBLzYn29vYhkYiPoEAMxkE1e
Score3/10 -
-
-
Target
$PLUGINSDIR/Microsoft.Win32.TaskScheduler.dll
-
Size
126KB
-
MD5
85f06c0b15781744fcf55c4e9bcca80d
-
SHA1
2e0cb9a364d7cfe1371a5917b2af6aee58145ef3
-
SHA256
42cde788e9d0f85ed71b4d1adaa313dc054ac2af58415d6d508507a661c8c70c
-
SHA512
408618f635b9a800ebd3d019f5037c418f38e06891ba9404bf39f88ebe6363d34c7ab49ca2bf448c86f9ee67881c018b0f18d028c2bae6d0351c04478abd2bcf
-
SSDEEP
3072:BBCeNh/pcfnLq3wyXYsKRNRwxz+gT37teucRpH0SL:BB/w4xQWOP
Score1/10 -
-
-
Target
$PLUGINSDIR/Newtonsoft.Json.dll
-
Size
692KB
-
MD5
98cbb64f074dc600b23a2ee1a0f46448
-
SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34
-
SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13
-
SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147
-
SSDEEP
12288:p9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3SH:p8m657w6ZBLmkitKqBCjC0PDgM5CH
Score1/10 -
-
-
Target
$PLUGINSDIR/OWInstaller.exe
-
Size
305KB
-
MD5
4d4b3bc910f70b7bb6d7da07a76c7404
-
SHA1
082d17c125fb2b7dcb13d1a81dc99fbfc5ecbe75
-
SHA256
d9274e926fd1202f5691d187a694b130c227eafac03ed59f18e019b881ea8454
-
SHA512
c54d94a25c23eca98927a14728b62b3b8de41b8ec907d4a3ebcbd63db8ba400537b6fb3e59b243c2f2675eeebe70baa78d75b9a21d4c93a5d43b24d7d386ddc0
-
SSDEEP
6144:BQXk7Ln7TE5+LoUDxO9bNDoSIm9U0COGq2jppldNcQ0:BQf+bkoS00aut
Score5/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
$PLUGINSDIR/OverWolf.Client.CommonUtils.dll
-
Size
655KB
-
MD5
9562911e11231c09a4d420378c286f64
-
SHA1
a093e50dfb3cd7b71265d20c78c6182857ea518f
-
SHA256
c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a
-
SHA512
6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d
-
SSDEEP
12288:0IqDIwxYNuTcAfimX8j4iXB/DVpyT8yRHRu:pwllX4RG86Ru
Score1/10 -
-
-
Target
$PLUGINSDIR/SharpRaven.dll
-
Size
82KB
-
MD5
f2f1cd4e9b1f772b7b7955c3310a126a
-
SHA1
6ea2b5ee4461053ad353d4826ba61388f98c28fc
-
SHA256
a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a
-
SHA512
587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d
-
SSDEEP
1536:1a9qjviI1YjOrfRK9bvyyfpHbnzDwkl7PyM:1EuqI1lRKbvyyB7nlll
Score1/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
21KB
-
MD5
51bd16a2ea23ae1e7a92cedc6785c82e
-
SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c
-
SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33
-
SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79
-
SSDEEP
384:ASUmlw9T7DmnI5+N273FPlIYiPWfPJsaAM+o/8E9VF0NySk/bF:ASYTrINE3cYiPmvAMxkEt/Z
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
14KB
-
MD5
1dd4ca0f4a94155f8d46ec95a20ada4a
-
SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81
-
SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d
-
SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e
-
SSDEEP
192:9xvcecVMIYiYF8tO7zhjjWvp9A5K+o/y2sE9jBF0Ny+aiQE7:kruIYiPWhjjWvHAM+o/8E9VF0Nyp6
Score3/10 -
-
-
Target
$PLUGINSDIR/app/cmp.html
-
Size
5KB
-
MD5
d7b8b31b190e552677589cfd4cbb5d8e
-
SHA1
09ffb3c63991d5c932c819393de489268bd3ab88
-
SHA256
6c21e8c07ce28327dca05f873d73fe85d5473f9b22a751a4d3d28931f5d0c74f
-
SHA512
32794507a4b9a12e52ceb583222cb93300e38c634a72ea3f51a0189127aba60cf476fb7918942355a4f826185d7071e876cb40348ba34cf5d1ca7e9546ccb310
-
SSDEEP
48:t9rc0/GLAoShbEHaLKNGiNQtvmolOGR36tgtr/GTvJP8AscaV4LiMt7ByBZXGz+p:4VLjHa2NGiivmmpWsBVutFwAk5vSG
Score3/10 -
-
-
Target
$PLUGINSDIR/app/index.html
-
Size
20KB
-
MD5
c7b752acf6d1e10f3aca2c67b1ccf4d3
-
SHA1
ab793cb43e0c2b5af0fdcbf90d0d29d5d3e164f7
-
SHA256
69b9f99f6611f953d94984ac35bdaf9e9817f689e1e3614976bebe3465c613fc
-
SHA512
120addd79b7ade4f35b426c02631c8167d81080fde30a01b989453113f7547784e525d53bede41ede0c9b3caca8513060753ba51f75bf6936d32ee597d642576
-
SSDEEP
192:8sdqpDNDPkFHmY74+/qmtRCtmK8W9I2gHHMlxh8B39LJ/Hab48JgJnc5w/93mJ8D:+WNaM8UnbjPk89+mppHL
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1