General
-
Target
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224
-
Size
542KB
-
Sample
210223-12lzx44v3e
-
MD5
060bd14ae501d8dae94cc73672ab195b
-
SHA1
e16be2044b73bfb717d92d13968eac473d64b8fc
-
SHA256
757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
-
SHA512
4c39ee69a9e1f8511c8c37a714cd2e9a44f5223fa9c356a8c0d466d273caeba2c391107822111de63ebfbca53b4a4601e90f03d5317914dc53192ef8fef28704
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224.exe
Resource
win10v20201028
Malware Config
Extracted
raccoon
aef61793e586ca15c24106ac17a2a83a30fb0a25
-
url4cnc
https://tttttt.me/h_scroogenews_1
Targets
-
-
Target
SecuriteInfo.com.Trojan.GenericKDZ.73124.19170.24224
-
Size
542KB
-
MD5
060bd14ae501d8dae94cc73672ab195b
-
SHA1
e16be2044b73bfb717d92d13968eac473d64b8fc
-
SHA256
757c6ccb2021bb12cb15fafcd4d748ef2d347ed4cb51076162563cbfe1ea01e0
-
SHA512
4c39ee69a9e1f8511c8c37a714cd2e9a44f5223fa9c356a8c0d466d273caeba2c391107822111de63ebfbca53b4a4601e90f03d5317914dc53192ef8fef28704
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-