1c1e61fa3ca755e7f1616263bcf948ce2a22ae9d01dac95d4093f59ec5e42ce3 | Triage

Submit
Reports

Overview

overview

8

Static

static

3

PassatHook.exe

windows7-x64

1

PassatHook.exe

windows10-2004-x64

Resubmissions

28/03/2025, 19:50

250328-ykn37azzgv 10

28/03/2025, 19:45

250328-ygeeksslv2 10

28/03/2025, 19:28

250328-x6yn3szybz 10

28/03/2025, 19:13

250328-xxc11szxbt 8

Sharing

General

Target

PassatHook.exe
Size

14.7MB
Sample

250328-xxc11szxbt
MD5

eafb67ed7734f5561c709b64e6e36b8f
SHA1

d7d5859993759ef0079a92506a9eed6a11fbdf48
SHA256

1c1e61fa3ca755e7f1616263bcf948ce2a22ae9d01dac95d4093f59ec5e42ce3
SHA512

f152eab4c9b4d80ccfb9d9aea316838ea2f10376d681b1371dee02484fa68e8949a05c5fd6536f21939f036bd70cc179e364099d59f3aa3645bb8534b8f2c692
SSDEEP

393216:l++AaWnPOESRAc5OKC4JLXH9ip87knYOwPecB:HtQtgk4JrYp8gYOUf

Score

8^/10

bootkit defense_evasion discovery persistence privilege_escalation

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

PassatHook.exe

Resource

win7-20240903-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

PassatHook.exe

Resource

win10v2004-20250314-en

bootkit defense_evasion discovery persistence privilege_escalation

windows10-2004-x64

31 signatures

150 seconds

Malware Config

Targets

- Target
  
  PassatHook.exe
- Size
  
  14.7MB
- MD5
  
  eafb67ed7734f5561c709b64e6e36b8f
- SHA1
  
  d7d5859993759ef0079a92506a9eed6a11fbdf48
- SHA256
  
  1c1e61fa3ca755e7f1616263bcf948ce2a22ae9d01dac95d4093f59ec5e42ce3
- SHA512
  
  f152eab4c9b4d80ccfb9d9aea316838ea2f10376d681b1371dee02484fa68e8949a05c5fd6536f21939f036bd70cc179e364099d59f3aa3645bb8534b8f2c692
- SSDEEP
  
  393216:l++AaWnPOESRAc5OKC4JLXH9ip87knYOwPecB:HtQtgk4JrYp8gYOUf
Score

8^/10

bootkit defense_evasion discovery persistence privilege_escalation
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Pre-OS Boot

Bootkit

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bootkitdefense_evasiondiscoverypersistenceprivilege_escalation

© 2018-2025

Terms | Privacy