Extracted

• • Target

    Lmfekeldirxz.ex

  • Size

    3.0MB

  • MD5

    0372cb4f806947727400d1937f3e8063

  • SHA1

    89aee134a5226e103f702f434a059c601eebf336

  • SHA256

    5f2b46e3cfb853b3be645309ea8378f6535bf7128e0794ff9ab2ef0972554e8a

  • SHA512

    b92f743d4fd4101bee6e6a8becba6be698f36ac83a18b0913bf0bc22d8a0ca57ea1bf659936a9398f729ed6b0f323bb437e6a67b4e0d5a79efba0baadf093fe1

  • SSDEEP

    49152:L2Xg/Wplj7e9IDcaZw1g9cDv1a4TOJMomYJJ8FRmrc:A8Qle9Id4Vha46JMdEJE

  Score

  10^/10

  stealeriumbootkitdefense_evasiondiscoverypersistencestealertrojan

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium

  • Stealerium family

    stealerium

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2