Overview

overview

10

Static

static

7

Disbalancer.exe

windows10_x64

10

Disbalancer.exe

windows10-2004_x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Disbalancer.zip

  • Size

    2.9MB

  • Sample

    220314-ngn9nseed2

  • MD5

    5c0693ed5953c01ccf046b8a9461efa3

  • SHA1

    24c748f725358f8559cc4295c52f0476ba911c5c

  • SHA256

    705380e21e1a27b7302637ae0e94ab37c906056ccbf06468e1d5ad63327123f9

  • SHA512

    e098f4c9418cdb990de281be6dbe9e7562ccdd41f4345b440b9a6ddf2d0fcc3c3d6d98594b1c75e59004a79b55271d2868adc7f29f3b80373e2bb5f5f985902c

Score
10/10
phoenixstealerevasionstealerthemidatrojan

Malware Config

Targets

    • Target

      Disbalancer.exe

    • Size

      5.3MB

    • MD5

      876b71d32631eb0980cf48e839566204

    • SHA1

      6bf0b1b8a5a55ee7146ade30257c65b04922889c

    • SHA256

      eca6a8e08b30d190a4956e417f1089bde8987aa4377ca40300eea99794d298d6

    • SHA512

      661f2d3ab2b8aa6ca580e93dd564504b2b68d5635fe0ac5e9fd730f690a1e7c3abbf4c8ac95d85003c87ebaedf236d37fc1203dc145d41b478bdd04c6a2fe7dc

    Score
    10/10
    phoenixstealerevasionstealerthemidatrojan

    • PhoenixStealer

      PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.

      stealerphoenixstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks