General

  • Target

    b2bbe95f39b1fa0ebaa00d29041e81ba.exe

  • Size

    3MB

  • Sample

    220124-hts6hadfcr

  • MD5

    b2bbe95f39b1fa0ebaa00d29041e81ba

  • SHA1

    197b85e8d120d623a2b5b2d9357096042232ab7d

  • SHA256

    ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd

  • SHA512

    88152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29

Malware Config

Targets

    • Target

      b2bbe95f39b1fa0ebaa00d29041e81ba.exe

    • Size

      3MB

    • MD5

      b2bbe95f39b1fa0ebaa00d29041e81ba

    • SHA1

      197b85e8d120d623a2b5b2d9357096042232ab7d

    • SHA256

      ddc739b6d73bd1dc3f6cd7be4daced463081b6a8baffd3fee7931f529e9c23fd

    • SHA512

      88152164f1287bb17bda63721451af814c0c60873c8e66a619b0c1433901c074b5fc5011d85c7c07a7c3134d2625ea7bfab60f0cdaf422d200fb9a3c05a30b29

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Tasks