Overview

overview

9

Static

static

3

627b7a13e4...e3.exe

windows7_x64

9

627b7a13e4...e3.exe

windows10-2004_x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fake-flash.zip

  • Size

    13.8MB

  • Sample

    220511-qylwzsbcal

  • MD5

    f0e8159305d41e436fd8661dd1a5b83e

  • SHA1

    63a31517caa2fe9aa58ebec777b7a3e45c11d25b

  • SHA256

    dcfe350d953062791506e32d953a38202216125de7999daa53e84372b2b800fa

  • SHA512

    becdbcc85b4b0be81b3c88350fd69e70a0cae50f3ef811b14fb47394c10c90f5ebd2208f6457458104d2483221c9c32004383c49f99e4a4b6e626a25c270e039

Score
9/10
evasionpyinstallerthemidatrojan

Malware Config

Targets

    • Target

      627b7a13e4b0d5c47958d2e3.exe

    • Size

      13.9MB

    • MD5

      cf0b38c9153e2d586b04fd88a82f9682

    • SHA1

      745ad6244181b54061cacbebc1e0e39d5f0ae4bb

    • SHA256

      0afeddf5d9d31c04ba1e5f3c5ac05cc5db4a232ece3dd2e3d15a1776a14e9993

    • SHA512

      9b5cd095afc1295d28c69b4fc2b9bb27f730f90886993532f9f72be1656f613273679536835e265e928dce2d9aebc076bd6c2e166a5e005a404f276d7f91cc3f

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks