4ddaa14f57744b2cac875ffb15a09e49246b9a45ab3c1122dca7aa47f820a1f2

Sharing

Copy URL

Twitter E-mail

General

Target

GlassWireSetup.exe
Size

78.8MB
Sample

240630-hzxqwaxhmn
MD5

7b6cc2a288ff0738ca69d4bf6688b5e2
SHA1

06c050428c0708d2f20d464f4ec43b3518dab58e
SHA256

4ddaa14f57744b2cac875ffb15a09e49246b9a45ab3c1122dca7aa47f820a1f2
SHA512

25bd4b3680a0b83949b1b9b27307be14e22946e44415f1525fd42d6d32f7c414659b5652716220be34a3f65cd22dbd351b4309bd279f3fb72cd5178cc9b26da1
SSDEEP

1572864:V0SU7bAyCN59pjGHal/j7CKh3/YtSh/2T3+IzVgEu6ns8g2zZxC5snRKEn/zNHMJ:V0SU7EJvrl7+C3AoNg35Zg12fC5snjxW

Score

9^/10

Malware Config

Targets

- Target
  
  GlassWireSetup.exe
- Size
  
  78.8MB
- MD5
  
  7b6cc2a288ff0738ca69d4bf6688b5e2
- SHA1
  
  06c050428c0708d2f20d464f4ec43b3518dab58e
- SHA256
  
  4ddaa14f57744b2cac875ffb15a09e49246b9a45ab3c1122dca7aa47f820a1f2
- SHA512
  
  25bd4b3680a0b83949b1b9b27307be14e22946e44415f1525fd42d6d32f7c414659b5652716220be34a3f65cd22dbd351b4309bd279f3fb72cd5178cc9b26da1
- SSDEEP
  
  1572864:V0SU7bAyCN59pjGHal/j7CKh3/YtSh/2T3+IzVgEu6ns8g2zZxC5snRKEn/zNHMJ:V0SU7EJvrl7+C3AoNg35Zg12fC5snjxW
Score

9^/10

discovery evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/GWInstSt.exe
- Size
  
  2.2MB
- MD5
  
  9a62cce787dfcc54209313a7f9fb6671
- SHA1
  
  35308ca6dfe2862f88f9ba60b4ddb42cfa188f0e
- SHA256
  
  9df71be3506e9bdd85b3e688a7672fbad674c6ae4a2e1f6cd40326c07e1b839a
- SHA512
  
  681c4144ce964780c19dae317fc861e4bbccb4130738d00fb1424b9f3c115c05c98b506952a017c03ce1cdecfc4bcf257b0ffacc5765e0dea4e817d46e1cd397
- SSDEEP
  
  49152:zU2GpDy79bnUKbpxU30TzlefgDvL+M7bG8uPvkkqqFcMfGJMEf:4bDsXbpnTzlLaMHG8AqqFrS
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StartMenu.dll
- Size
  
  7KB
- MD5
  
  a8c86996c4230c2209f5927f21321377
- SHA1
  
  45ce0ab93cb6a3a594e54878cce05df724024393
- SHA256
  
  110545415a59402635e1c9439acba15b44bab268ed02ad2a262ce12604a47855
- SHA512
  
  69ee73496b916777936b0dddd2cc4a4f916e393f7d0b167cba77a4a239ee1e3f645d9b90dee1627c42a23eb6c3403e4d086546b9f78b3a2e4999c8f92f6a3bc3
- SSDEEP
  
  96:mIt3J2Gl0eVe0+Cfo0UkXt6+o69UiGdPh5/utta/23lkCTcaqHCI:bhE+A0+sF6piUFkAylncviI
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  1d8f01a83ddd259bc339902c1d33c8f1
- SHA1
  
  9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
- SHA256
  
  4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
- SHA512
  
  28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567
- SSDEEP
  
  96:o4Ev02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YsNqkzfFc:o4EvCu5e81785qHFcU0PuAw0uyGIFc
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  b4579bc396ace8cafd9e825ff63fe244
- SHA1
  
  32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
- SHA256
  
  01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
- SHA512
  
  3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a
- SSDEEP
  
  96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
Score

3^/10
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/nsihelper.dll
- Size
  
  5.9MB
- MD5
  
  96955b513868646bff7b65b2e671e43f
- SHA1
  
  a36c0c4191e0ab5bd3948de17b94fb413af3a52c
- SHA256
  
  01615b77079a837aee522812eb82d60bd4c20c3c0a5a6739b623d3d18b2513ac
- SHA512
  
  b60fd0895f13958f089dbf1f11777a6372c9f6ec2ab77416f7f92d7e58dc5079f4523d1cbd013e9278fc1adda273a592be748e1be8b6b61dd61a70ed66c5f76f
- SSDEEP
  
  98304:7GfeZrOyJpVt1z1qKodLSabEyMbz7j5SKrnnfKO4SLcjixplkSQNe:KfeZDDB1wLxwyMn5TDnfV4nkpse
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/vc_redist.x86.exe
- Size
  
  13.1MB
- MD5
  
  dd0232ee751164eaad2fe0de7158d77d
- SHA1
  
  7391663f07cba7c99f3503929fcd3561f1f6a552
- SHA256
  
  4c6c420cf4cbf2c9c9ed476e96580ae92a97b2822c21329a2e49e8439ac5ad30
- SHA512
  
  cc82a7a8ead3c036559109d4daee623622edd4b4b5241545efa0e36d906c1af10d4056ad003f8849475f4e1e625eb9f27de7a9e13b28ac7ab88da99d5f926c2e
- SSDEEP
  
  393216:eEHMlptVYmfr7yBG/4u1ma3R9kCX83LHqD:eeApttD7yBG/Fm8Hg2D
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15 behavioral16
- Target
  
  GWCtlSrv.exe
- Size
  
  8.3MB
- MD5
  
  4bd8532fd72e25bdd49f004a25aa04f7
- SHA1
  
  e90e057f783ed9b533c7b03ae4f12b5393e26b67
- SHA256
  
  05615a4cbdca16f882301486ebf4419a049d408d696e04421c8ec5e6f3181708
- SHA512
  
  b356ca56ef2408e21f42fa21ed3cfb7bb1f366bb75f404c7ed737a041606c137b430400ccfceb9c972ee55804f456bdadb218231a7a94e8b5b32fe71f82606b7
- SSDEEP
  
  98304:Ap2FTVnmyy3uj3+wm7n/uPyvZHz9HRX+pPIk1DNrMRdRgVDJUpx90w2B42weYjEi:AWTv+17nRZTLuxfRawwXpjEzKy/9k1
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17 behavioral18
- Target
  
  GWEventLog.dll
- Size
  
  4.5MB
- MD5
  
  1e1b855cd1cc8bc00c0dbb0fad8e75dd
- SHA1
  
  e77da5a642e76da25f20726d7490ac9333d1ca2d
- SHA256
  
  a97e9c4955460de4449b509198363ca5e35e31b29ea07766741744b559614fa8
- SHA512
  
  339fff314fc5d16e78ff3755200e7cccb2dbb8d8a040a8c3f532dd9aecf6ae0563fc2ea44be55558dda2d036aa878f0e37e716b502528eec64ffca98b73a79ed
- SSDEEP
  
  98304:PmnQGvFmplY+XPmgh/vxqPYhc335Z2nRfe5bWGHtXbVkOz0jC64GBT8T:PKmpBmCwleRfCbWLzjChGxW
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral19 behavioral20
- Target
  
  GWIdlMon.exe
- Size
  
  5.3MB
- MD5
  
  5d333cdf3eced3cf2f61c07cc15a8eba
- SHA1
  
  6321f00a6f39dc1f8b22cafccb6c5fe47aa29e65
- SHA256
  
  fdf09a997ff577218a43fab6767d3a6239f12ffe59d9917d44e540bc23fdd252
- SHA512
  
  51b61345f81549693900e7b2e1592be0da03e0e3fee5c75885cb4af3e851f757097e5d18d625cb3868ea5f5d4bfc9ca6c1d8fda1ba17eb8ae48a905b82c7faba
- SSDEEP
  
  98304:2wnrJIKFej1+izXGP/JRZOqZVZpSxhJO5vsI7k7LJKSm24rfUN9tjjtNB:7n9xex+iiJRMqNp8hM5EI7k7opfrfUNZ
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  GWUnlock.exe
- Size
  
  3.9MB
- MD5
  
  e3b8025f68218afe124eac6fe003eff6
- SHA1
  
  8ec765a41e631c5d77882e71d48f63fc0d0ffbbd
- SHA256
  
  f424e81a5504896a2f96a56433e086daf86020d3503d88b67fa885a75eb79389
- SHA512
  
  136f9a72dc76a412669675b7d17527f5d1d63ae793afddce0554e070eafc954c8b33683fc2c3dd13b64f09437f05ef796edc4140d6421f15c50387a8a8a83962
- SSDEEP
  
  98304:SKaIL5ysioj6zmmKO0msVe/GZfqOOijGEeJJqhhMmWb:2IL5Z+mmKO0vy03tpib
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral23 behavioral24
- Target
  
  GWUpgradeMonitor.exe
- Size
  
  7.4MB
- MD5
  
  a351396335a81329006c0765d5e3f7d6
- SHA1
  
  e1ab7aaa5e71b71a2203e9399201737e041f2878
- SHA256
  
  03a2cf2c6e265523e81b3ae326a14328a676802d35047ab2e241136286d0dc34
- SHA512
  
  5d17fb62f6e06e2693a4a47bf0f8599437167862eecaeb940465c1c6cca92a49503f649fe11ebb408b5bdae417b04125adcd12ef53da4bfaa83feea626e260e6
- SSDEEP
  
  196608:0OBk+ju1viOeuw4QNWbwd/ogrzVF/QI+Fz2sP6gSF:vDu1viUMKarZN+B2+Zk
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  GlassWire.exe
- Size
  
  11.4MB
- MD5
  
  0cdf65d9e3da8dcf541ac718aa4cac26
- SHA1
  
  5cd8aa79429ceee076d9f38b56863550ac3be478
- SHA256
  
  18bb786859c67faa73a71f305784a33e062445b1ba5e7114ce1f5f3d924fe766
- SHA512
  
  e3d87710594f835fc6b4ebbcc06263b4a91340cf55c0c909e62f66c712b86aefb91bd9c9b8f9985a518b7e06345cbc3bc4315562f7bb2c2ad0a15b5439e99701
- SSDEEP
  
  196608:F2S9fwxgol7RKTnh/lxJBjvy9xM0uI6HGWnB7LlyjC2g1ZH2cP:F2qCN4TdlxHjv62RfB7hoCLZW6
Score

9^/10

evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks whether UAC is enabled
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral27 behavioral28
- Target
  
  Qt5Core.dll
- Size
  
  5.1MB
- MD5
  
  e1dc6cab6ffae535256b534d7d9807b6
- SHA1
  
  55cadb1d437e83e5f4720fc3d4d58d5ce41d6e6c
- SHA256
  
  97b5274bb4f1a746318cfdcce8cccc5dc81560825876ce27a68f0f416299acbb
- SHA512
  
  c3692fa72398a88f05247dc13b814073462b1df4a336ad3624769745e0e4a77d4ca549397477792c63714d286e6185d7abca3f8fbb64df6ae1df474c366f605b
- SSDEEP
  
  49152:r1AH+7g4QrRpvOK8Bbl+Gy+/LZsxRFNHlZTlJsv6tWKFdu9C/cPk4VHEYI9CV4en:p5gje5lCjzJsv6tWKFdu9CtvDhgwc1
Score

3^/10
behavioral29 behavioral30
- Target
  
  Qt5Gui.dll
- Size
  
  5.6MB
- MD5
  
  09d02d3a0a98525e416feffd2b759028
- SHA1
  
  7f84faa29987dd60c5e1651096efa8b4b95d70e1
- SHA256
  
  f84f0c5e177f12b1f9e7054ff15bf9640cce8da8bbaf1d08bc40636227bc105a
- SHA512
  
  e622acba8f6cff71061aafb74f5b9006477d521ead4e48f4f0b1fffa70b85b822fbe309de703ab0dc38d87beede8881766dd45330465365a5d6a32b71119228d
- SSDEEP
  
  49152:zKUDGaBVW3sDAPNaiCZPcSnt8KQ6oOtA/tiG7WwjrAxLXwQ98vd+hc0WM66fL5cn:WUKssPdOy/tZWnXThVc5tnB6NDr2
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Checks whether UAC is enabled

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27