General
-
Target
winrar-64-6.21-installer_AmGAP-1.exe
-
Size
1.7MB
-
Sample
240701-ramdaayfpp
-
MD5
17b1ea1089ccf5e5ef81c5dfafdb90ff
-
SHA1
af0c22f715c97474303ff13364a71280c1d0f698
-
SHA256
f81c79de1b8bec0ffcd299c964d8cf0bee0d983ab465b693dbfd7347d2c64f87
-
SHA512
3e90c90477075856f77194cb6842501402f4eb49a68df84f5f3d49b5a8edae012e257908483c8451bc20bb89755c0b51c94c9499f4e3b6b85e88f8722e6d6a73
-
SSDEEP
24576:f7FUDowAyrTVE3U5Fmuj6C9FPusBoPwbpm90jiJ/65kr2kLgaJyLHbTVYyT:fBuZrEUr6CzmsBoYbpUF65GzOB
Static task
static1
Behavioral task
behavioral1
Sample
winrar-64-6.21-installer_AmGAP-1.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
winrar-64-6.21-installer_AmGAP-1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
winrar-64-6.21-installer_AmGAP-1.exe
Resource
win11-20240508-en
Malware Config
Targets
-
-
Target
winrar-64-6.21-installer_AmGAP-1.exe
-
Size
1.7MB
-
MD5
17b1ea1089ccf5e5ef81c5dfafdb90ff
-
SHA1
af0c22f715c97474303ff13364a71280c1d0f698
-
SHA256
f81c79de1b8bec0ffcd299c964d8cf0bee0d983ab465b693dbfd7347d2c64f87
-
SHA512
3e90c90477075856f77194cb6842501402f4eb49a68df84f5f3d49b5a8edae012e257908483c8451bc20bb89755c0b51c94c9499f4e3b6b85e88f8722e6d6a73
-
SSDEEP
24576:f7FUDowAyrTVE3U5Fmuj6C9FPusBoPwbpm90jiJ/65kr2kLgaJyLHbTVYyT:fBuZrEUr6CzmsBoYbpUF65GzOB
-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies powershell logging option
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1