General

  • Target

    66e3103ebd4e94b69efda203606f09bb

  • Size

    3.3MB

  • Sample

    220116-qb3wzsfdg6

  • MD5

    66e3103ebd4e94b69efda203606f09bb

  • SHA1

    f5a3960c89330930a045d0b9f6babd8be6c2a971

  • SHA256

    bc5c16685482832a733991a0a5a29c0affe69cb5fa4e07c1ad6bae49c46bad2b

  • SHA512

    6a7160fd742b87acea6e7b6a507db1d60bf6d713c83f57bb7b373fb7d8ea8e03df7cd1363740931ef2eb58fa63c758cb039fd4031322e9d7ddb0d1a67cb9c58f

Malware Config

Targets

    • Target

      66e3103ebd4e94b69efda203606f09bb

    • Size

      3.3MB

    • MD5

      66e3103ebd4e94b69efda203606f09bb

    • SHA1

      f5a3960c89330930a045d0b9f6babd8be6c2a971

    • SHA256

      bc5c16685482832a733991a0a5a29c0affe69cb5fa4e07c1ad6bae49c46bad2b

    • SHA512

      6a7160fd742b87acea6e7b6a507db1d60bf6d713c83f57bb7b373fb7d8ea8e03df7cd1363740931ef2eb58fa63c758cb039fd4031322e9d7ddb0d1a67cb9c58f

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Tasks