General

  • Target

    cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

  • Size

    15.9MB

  • Sample

    220521-agyapaacb6

  • MD5

    1f6ffbf88537755b91d44ef7f2adec54

  • SHA1

    e85536f40c73aa0293645bc0e61c4290af3a0b65

  • SHA256

    cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

  • SHA512

    bc0922aa3a79d6790c4c21b7c404d439233120772528ddcb96c390f276e91f9f162d6a490e02ee4bd963aa02ec15ed88e202e75155e02b1e41a593372fe8f161

Malware Config

Targets

    • Target

      cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

    • Size

      15.9MB

    • MD5

      1f6ffbf88537755b91d44ef7f2adec54

    • SHA1

      e85536f40c73aa0293645bc0e61c4290af3a0b65

    • SHA256

      cc68c64d94ebdf8b1595358fafd3e08dfe0d7c8e545eb97dd7be4c8bdc82fc7b

    • SHA512

      bc0922aa3a79d6790c4c21b7c404d439233120772528ddcb96c390f276e91f9f162d6a490e02ee4bd963aa02ec15ed88e202e75155e02b1e41a593372fe8f161

    • Stops running service(s)

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks