cd926b9d7e5fba60c79da0fce1555c19e94b9dda7bca36d2150283b0472c9072 | Triage

Submit
Reports

Overview

overview

Static

static

F-actura0622.bat

windows7_x64

F-actura0622.bat

windows10-2004_x64

Sharing

General

Target

ID-22Fact.1655918006.zip
Size

909B
Sample

220622-y34xcsdae8
MD5

3f2cc04c06e426b507a9cdced333ab63
SHA1

93f1891e81a08b6a7df02fdd09d4696c7a25c85c
SHA256

cd926b9d7e5fba60c79da0fce1555c19e94b9dda7bca36d2150283b0472c9072
SHA512

bf46abe0195395f4c99e6e8cf430e5ab04e2201dddb01c5562aa8841a41c19445a6946422b0e9454cdf20d7bd3b58968cef3a16ab86a06d67963e869ffacdf24

Score

10^/10

evasion persistence themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

F-actura0622.bat

Resource

win7-20220414-en

evasion persistence themida trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

F-actura0622.bat

Resource

win10v2004-20220414-en

evasion persistence themida trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.91.202.137//?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT

Targets

- Target
  
  F-actura0622.bat
- Size
  
  1KB
- MD5
  
  6cef8304265178796921535f0a2e9c03
- SHA1
  
  07275c43ac049126b967325baf984e3def7af1ed
- SHA256
  
  db9c0fd3a144ea0a24d8d65841ae94f7336ed420428dd455ed4b27ac081949c5
- SHA512
  
  1a2fa8832ed844fad8b704754f929df1ed71931f043571f3c0d9e6025ff821b0169c028f15062df10bb350668522e9f17af14a1dd81283c5222b01af974157f3
Score

10^/10

evasion persistence themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistencethemidatrojan

behavioral2

evasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy