Resubmissions

30-01-2022 14:30

220130-rvcpksdah4 9

30-01-2022 14:23

220130-rp54yadaa7 9

General

  • Target

    ACTIVATE____SETUP__4695.exe

  • Size

    744KB

  • Sample

    220130-rp54yadaa7

  • MD5

    849bf640bf914ec675b9477a802a22f9

  • SHA1

    e1a12595f8c9d48416ec342cd4037a32f3fdda24

  • SHA256

    5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4

  • SHA512

    763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1

Malware Config

Targets

    • Target

      ACTIVATE____SETUP__4695.exe

    • Size

      744KB

    • MD5

      849bf640bf914ec675b9477a802a22f9

    • SHA1

      e1a12595f8c9d48416ec342cd4037a32f3fdda24

    • SHA256

      5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4

    • SHA512

      763878ebb2c574f6e93e6bd7be49ee874e35e04c4bbd8d771224c16ece3628523041520497b6f66bd3f90e8f3e09b0accda049fa518bfbeb4fc77bc2175d6ec1

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Process Discovery

1
T1057

Collection

Data from Local System

2
T1005

Tasks