91cd8bfbe714acc43beff32856c3d56ded48706d3c92c492a1acb994b606003b | Triage

Sharing

General

Target

all.zip
Size

36.2MB
Sample

220216-vy77facac6
MD5

7c2aa852211b49b68f38ebb9971915b4
SHA1

adcea03a835a323f8864706610adfefd16895d80
SHA256

91cd8bfbe714acc43beff32856c3d56ded48706d3c92c492a1acb994b606003b
SHA512

22a9baf252145f405741c639019cc56f0a5ab4a836b2b6077bf196e80e83089dbb49dff8414b79b8fd182aa79f0ed27611906c5c4a8bcbb43aee607c0ae8eb27

Score

10^/10

evasion link pdf persistence themida trojan upx vmprotect

Malware Config

Targets

- Target
  
  all/clickers/Spotify.exe
- Size
  
  1.7MB
- MD5
  
  5214e287e7509bb4940901996b496d4d
- SHA1
  
  a3fe343817dc817c091fb2b30b36600abfb062df
- SHA256
  
  afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
- SHA512
  
  c29a538c58407e46d79df33d05014ea2156cf40dec11122569d9135adfe15f6b1a038bac4dc88a3ac8b2f2aae3cb72e22cf10cdacbe621dc8d3d60d57ef18797
Score

7^/10
- Loads dropped DLL
behavioral1 behavioral2
- Target
  
  all/clickers/axentav2.exe
- Size
  
  786KB
- MD5
  
  89ec845ca6b4ace15355ad206ebadc11
- SHA1
  
  8415a77f1cece08a113fddbe9c781fcffaf4dbd9
- SHA256
  
  cedab271e30415766e897ef6b1fce37116bfc73c6bf71bfa9f3343e261fa98d7
- SHA512
  
  edd655ee1b34dc62f00db12703d6ee5dc3e2ea5ea89ddfa84d856717205f8a1a1a8b66ee6a5e7995ae0c945530eb523c180c73871a4fcfa886c4d99f06bbf287
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral3 behavioral4
- Target
  
  all/clickers/isolation.exe
- Size
  
  1.3MB
- MD5
  
  e1263e274c27ce43655c36ab0638d34b
- SHA1
  
  96c66c508f542cbf2f5d08614f8c66a30a7799cc
- SHA256
  
  ede30bb0c9a4b8564538315b76759def592ee6869864f0fc7cd6de89deba6581
- SHA512
  
  64739e5939fa3d863475f6dd005e923d7004a107a09c721af57075e22ec845655583691cdaec401e1dba6c56890ac3f3118e7e89801e4a667371bc3251556d03
Score

4^/10
behavioral5 behavioral6
- Target
  
  all/clickers/mangoclicker.exe
- Size
  
  937KB
- MD5
  
  091aabf897476d2d6e82fd0fc21a394b
- SHA1
  
  f531eda1a001a9cfc9191c1d8a4048c61ee53393
- SHA256
  
  6c9708fcb2729df27a7d92dc2573fd9ea9c518a8b53a103ca597dfbea398236a
- SHA512
  
  bc386b500631f756521b3cf0b05605c16e3edc21f0fbaf90faf6ccf3a2bad2caf33ac7c5d736c8be3d549c7c13db37730aeab9b859fed864e0f1c5126a4fdbd9
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  all/clickers/nigclickermp3.exe
- Size
  
  154KB
- MD5
  
  c54431007e22486b5f6f6dab618224e1
- SHA1
  
  6ea6d21f22c0350541ca9e1e48bc20a571e33dc4
- SHA256
  
  131bd4e3170c5c87cafa632cfec7eb7281490b00c292dcde95e770752d7272ad
- SHA512
  
  b63d396af593b26538226e5940b3e18479dbc84c60f6ea0148969ca67b810b102cbdf44b06033513cdc7ba7b868ff94c0c4df4d586f7a2cd3b9ed6ed819bdeb4
Score

8^/10
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral9 behavioral10
- Target
  
  all/clickers/slinkylmao.exe
- Size
  
  687KB
- MD5
  
  5bfdbb28cc7fed82bf415edac9c9eb83
- SHA1
  
  c04b108edbb95b75dc1496bed342b937f37fa17a
- SHA256
  
  12affb37160cf0bb5fe284c7f65ddeea23a788f4d35fbf158a4877c99640e8c3
- SHA512
  
  ff52df5c58fbee9dd555f373bb1a4b520e36f6a76e1b6ed345015cbd0adf1a3927dd79afe1b92e76b439d1221865b72a34a9023fad3c0c1f849e6a90e4352ae3
Score

6^/10

link pdf persistence
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  all/clickers/vega.exe
- Size
  
  599KB
- MD5
  
  284849a2131da7c109cb496b388bd3ac
- SHA1
  
  9b21005a0bb149ba8222ed5e53dbd3cf312ae404
- SHA256
  
  6cfe6fac4c62d54e6ed35a12607c561beced186069801b20e6eebede85940fa0
- SHA512
  
  3926df84b6bb57286198dda09461e2e1ced230a7215f5ed0ae4a1a6a2d394e57e4ef41a58b2cc63845f8328360a49af327afa8b3157b1c3ab7c14659b5962910
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral13 behavioral14
- Target
  
  all/gcs/Client_Loader.exe
- Size
  
  1.1MB
- MD5
  
  4d533e9bf473bffa223d08375406e354
- SHA1
  
  a476be755207b0a789a7ea291980ddc53318ff1d
- SHA256
  
  84b42521803e83e1d6633bec4099f443a46898297c2588a04dd4b97797311795
- SHA512
  
  e20230aa5091e8ff762d7b81c0edde8ab476aa03ed83c2a2bc75b06e3dfebb0aacfde26562c2684368cce72595672f6efa9ca0b489cb09e0394a602564a89980
Score

7^/10
- Loads dropped DLL
behavioral15 behavioral16
- Target
  
  all/gcs/Icetea.exe
- Size
  
  629KB
- MD5
  
  ec75749551b255093e77a5d6c1d72e1b
- SHA1
  
  fac81f6c1f1bd668b66f2d1d84c6fe2a4e6b0c98
- SHA256
  
  1a9f99be6ea38d09047da97d68350d5c04f59cd40269569271ff3231fbabb32d
- SHA512
  
  2db7db3fe569d70e476d05f8b4e88e2f5d22ecccce12dca745208001078d0cd9c7f00711b32c2599d2b594f98a6a6ff20ef9c133d3c133654782788f8e5198e8
Score

4^/10
behavioral17 behavioral18
- Target
  
  all/gcs/Koid.exe
- Size
  
  1.5MB
- MD5
  
  15ec276e3c1d3d757eed8698c59c1095
- SHA1
  
  28be0d3db48ef6423c2c4e222f5f949b8ed6e845
- SHA256
  
  4bf92841621b08ec1796fa380fd71bd9f6fec65b923aec1dbd5b074f062eaf21
- SHA512
  
  467196ee35523d4a24bd3746a9785040e092e4aba096c4e342ce1dfe2a9c3b1ca61f207b4581ac97a3861f12f714581854339727681aba1ba93d8e36ef9eb671
Score

4^/10
behavioral19 behavioral20
- Target
  
  all/gcs/crypt.exe
- Size
  
  9.9MB
- MD5
  
  b9e93f1bce9f61e1a98083a36c8a4a06
- SHA1
  
  9b4d9b385d47831749059a7db02008bbdf610146
- SHA256
  
  476be5bcce19adbc987d6e99b2edd2c55599fb9367ae72a8a175284cf07c6802
- SHA512
  
  6f97821eeded7dd9c160358b440b73c1d26b656a77b5c08f33b1550d23ea5cbfddb048093dac5333e32ab6bfa87e8e7d6d4dca1d0846ea337c4b6b40b31fb206
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  all/gcs/encephalon_clean.exe
- Size
  
  4.8MB
- MD5
  
  21d07a078e78af8a4ccb30d0fc133ca5
- SHA1
  
  6f93f72e4b4b1219e0fe9b18192fd67b43666460
- SHA256
  
  5890b95051bdad9b5aa287265b64d85e61f26ca0368adc2f526959c660d77637
- SHA512
  
  dffb7351066d9ee99515a46c4612d420667b36a6f55e7aaf7b743e79ea4c76f041a9da711c5557a6439702630566db8fee3844f26969f4ecee771afb2d3d9838
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
behavioral23 behavioral24
- Target
  
  all/gcs/epic.exe
- Size
  
  1.1MB
- MD5
  
  0cf061ff391f467a683d11884d2ad520
- SHA1
  
  ed6212e71335f3707303da91c84993c149520d01
- SHA256
  
  3ac8a1a80b1aea1542a42ac25b0b4d730cc9f3cebd9b2661686177a083e98c03
- SHA512
  
  022e77fb62f3b5911172ef0b378b6f625fb940f475c6069c5146d179c0d426ba99a80f10fada8e5d1bdbd00c3ff3332dbf11f81469a75db29e79e71d0fe616d3
Score

4^/10
behavioral25 behavioral26
- Target
  
  all/gcs/itami.exe
- Size
  
  430KB
- MD5
  
  ad7057a3d1472fa03f068feb89eb81e0
- SHA1
  
  3c460a273a32961823c64e3b2c471b2eb48ed0a8
- SHA256
  
  348d5863c8a01db43945be3738198d9dc4d64f27c9c4282d59e1bc01af11dfab
- SHA512
  
  6258574f4174fe1bda67d92daf4e38f4568df9b1e20fdf453daed0de610a067048716ffe08ffb566ec739c5603c7edcd0b04a48cc1131412e2b3a51080c0be43
Score

4^/10
behavioral27 behavioral28
- Target
  
  all/gcs/kryptonclient.exe
- Size
  
  3.8MB
- MD5
  
  a7beb58e9507171e44455f1f823286ab
- SHA1
  
  3689b44d42583008d5d158968bf7e81c3c0ccf3c
- SHA256
  
  e781c6915a983883f16ed22a1236e9bc93af081fb5cd3b8ec4c554ceb18183db
- SHA512
  
  35b7714979773d60296d81f57c4805cc0160db8b881a27ef4370718049949940f9d5734566b6398d5ab7b32800bf50e6f54bdd23150ad02ac60f2b7b55bd4b2b
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral29 behavioral30
- Target
  
  all/gcs/kura.exe
- Size
  
  3.3MB
- MD5
  
  208a92b2100ef3dc268b709e7a9aa3e2
- SHA1
  
  2825a5777445dd584289fe35e41c836f8743dbcb
- SHA256
  
  5e8394b44ba1373b36214d09b16a43ada6d001e55509de72c1f85928481422b0
- SHA512
  
  fa64f5ab44d63ee3963dfbc4c49f089fb9395c55a4847096c7791935876bfdb91af6653dc27db6a012cfba02ef97b7e5ac278a5145f1ad3b80fa735f1d86699a
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

vmprotectupxpdflinkthemida

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

linkpdfpersistence

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

evasionthemidatrojan

behavioral22

evasionthemidatrojan

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

evasionthemidatrojan

behavioral31

behavioral32

evasionthemidatrojan