General
-
Target
Hydrargyrum.exe
-
Size
3.7MB
-
Sample
250404-cxgc8azr13
-
MD5
a0a8391a92e6c46ab606fcd57cf4f4a4
-
SHA1
930e6f27b6007529edff5371a1793b36a05d76ee
-
SHA256
dd97db57914c2b501d6a0762ff8e1dca8f921aec80887e2d3842b399bea16571
-
SHA512
80798537a6c7fb585e19f399741230fed26d398bcfa17196b9e2d2de9aae1f8b0c33674113e676de390fff4cceeaea2b04976c82d5ab75f955eb51a44f90bcd7
-
SSDEEP
98304:mqZyM3zLdY32bVNZKCIHcF1T1S2kG6nl6A:TsAZY32PsFIsXl6
Malware Config
Targets
-
-
Target
Hydrargyrum.exe
-
Size
3.7MB
-
MD5
a0a8391a92e6c46ab606fcd57cf4f4a4
-
SHA1
930e6f27b6007529edff5371a1793b36a05d76ee
-
SHA256
dd97db57914c2b501d6a0762ff8e1dca8f921aec80887e2d3842b399bea16571
-
SHA512
80798537a6c7fb585e19f399741230fed26d398bcfa17196b9e2d2de9aae1f8b0c33674113e676de390fff4cceeaea2b04976c82d5ab75f955eb51a44f90bcd7
-
SSDEEP
98304:mqZyM3zLdY32bVNZKCIHcF1T1S2kG6nl6A:TsAZY32PsFIsXl6
Score10/10-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1