Overview
overview
10Static
static
374723b8f53...4d.exe
windows7-x64
1074723b8f53...4d.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Notepad2.exe
windows7-x64
1Notepad2.exe
windows10-2004-x64
1Two.vbs
windows7-x64
8Two.vbs
windows10-2004-x64
1patch.exe
windows7-x64
9patch.exe
windows10-2004-x64
9setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10General
-
Target
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
-
Size
4.5MB
-
Sample
240624-k4msksvclh
-
MD5
17caf50a89e0ca1e1e3e85cf7b14c509
-
SHA1
b4703fe095593e0978964c64db00cc142a0c672b
-
SHA256
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
-
SHA512
6acc0627291e232e89e5f2b8db73550e134d8cf7c217c4ab55fee1293f9c01537f9d8e13b05c0fa6e6e4143e7de35bdda754b6706ee6cf0be655be9392bd119e
-
SSDEEP
98304:z27lsFWcG7V95lWEw58NQM8mxozibMW+kt1bPaf1FA1kOf2fBPxO41EEqCI4:zSjvV95oEGoQM8mezibMmdatTO61EEqC
Static task
static1
Behavioral task
behavioral1
Sample
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Notepad2.exe
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
Notepad2.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Two.vbs
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
Two.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
patch.exe
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
patch.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
setup.exe
Resource
win7-20231129-en
Malware Config
Extracted
cryptbot
verf04.info
Targets
-
-
Target
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
-
Size
4.5MB
-
MD5
17caf50a89e0ca1e1e3e85cf7b14c509
-
SHA1
b4703fe095593e0978964c64db00cc142a0c672b
-
SHA256
74723b8f53fca55f5e0b5755465a69d78960131ec9dd49445b8bde4354d0c94d
-
SHA512
6acc0627291e232e89e5f2b8db73550e134d8cf7c217c4ab55fee1293f9c01537f9d8e13b05c0fa6e6e4143e7de35bdda754b6706ee6cf0be655be9392bd119e
-
SSDEEP
98304:z27lsFWcG7V95lWEw58NQM8mxozibMW+kt1bPaf1FA1kOf2fBPxO41EEqCI4:zSjvV95oEGoQM8mezibMmdatTO61EEqC
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
132e6153717a7f9710dcea4536f364cd
-
SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
-
SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
-
SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
SSDEEP
96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score3/10 -
-
-
Target
Notepad2.exe
-
Size
693KB
-
MD5
b60d390ba42c0109ee38de2e0ca56e1a
-
SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
-
SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
-
SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
SSDEEP
12288:6tmI4blkGgFigjLHnrX96Uym8EXwTfEIVXxuFNOFwXi4tjp:6tUtgI2LLX96E8EXwICgKwXi4tjp
Score1/10 -
-
-
Target
Two.vbs
-
Size
120B
-
MD5
dce4476454d12f8906cfa1db72722e2d
-
SHA1
4437a74ae0fcf7a4a636c04b7c0b80880871816a
-
SHA256
53908a91a2c298fcfd2cd278d4e273ecd55a3b5c81f10775307352aca5e211e8
-
SHA512
5a13b419813e768be03069332d3f655609221391b7faab5ed8c90ea57a7a26861ed0b5a256619ce9b8e62579e9e3ef9b0e8a37d6a688cb3795c62ea8cd55786f
Score8/10-
Blocklisted process makes network request
-
-
-
Target
patch.exe
-
Size
2.1MB
-
MD5
5da43c1e12289a6ee23c690404359d32
-
SHA1
d20ddb31c9c1c7c9bfd2c77890fb13608aac2c42
-
SHA256
554d5c274a401ab86387b8feadaa30f95b9bfa5873434b7592a96b932aebc025
-
SHA512
4a51da8e684688ce08a9bfc9ce1107ce30865fb171770269402bfa07df35a4db3eb79a8e54892855f1867f995691b5d52591971b8befb5870b9aa22945a40763
-
SSDEEP
49152:wUUbht1m5u70uMqCOEXDq7imBnb77ZCVqhQI171hxlwB:vUt1mpyp8Xa77ZQK7Rl
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
setup.exe
-
Size
2.1MB
-
MD5
3657f6fadee899005c6556c07a890bba
-
SHA1
bb532f5420c5baacb7b19f508ec29440135c3c74
-
SHA256
0ab71f45b1e9c6f5eba7ce76b31285a18e7a2851870e551b6aa3dbd8cd756aae
-
SHA512
3158f42fc30ee5425a252dd976c0d3634b1df124cf364c5790071677e33082343be4f117f05c8cc725cfd566f87229c4d2fdd235849b1b34b13d9a7285324068
-
SSDEEP
49152:/GxbKmg8Yvmx2jy1u9HWS8XCtMgdm4CnP22FbN7fwqGV7RkV:edKnmxujcStMkmxbFbN7w7C
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-