5e5c17140ce8829ed152d6fce28064e9f5693d789d9ffd2e6b45e330cf5f2207 | Triage

Sharing

General

Target

BLTools 1.9 [CRACKED BY INJUAN].7z
Size

9.4MB
Sample

220806-d9qyvscfb5
MD5

adfb510037f2da72dbe3b077d12bf0ee
SHA1

b181ec66ab76e0ef2cb7fbeab7f271dd0d8ea789
SHA256

5e5c17140ce8829ed152d6fce28064e9f5693d789d9ffd2e6b45e330cf5f2207
SHA512

9c6a8772f3ec9044972b62f6e5b2e94e1283203aff6f9bbcbf91590f41b1be1e2e0a7c374b14063c8995b974dc0c507e96a90c458243c4acafcf70e6fdb25fa3

Score

10^/10

evasion themida trojan

Malware Config

Targets

- Target
  
  BLTools 1.9 [CRACKED BY INJUAN]/AlphaFS.dll
- Size
  
  359KB
- MD5
  
  f2f6f6798d306d6d7df4267434b5c5f9
- SHA1
  
  23be62c4f33fc89563defa20e43453b7cdfc9d28
- SHA256
  
  837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd
- SHA512
  
  1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211
Score

1^/10
behavioral1 behavioral2
- Target
  
  BLTools 1.9 [CRACKED BY INJUAN]/BLTools-v1.9.exe
- Size
  
  9.3MB
- MD5
  
  5b8fee9267593396b57d345a9afc7ddb
- SHA1
  
  264968d1bf7c1f6ad0ca4cbdeb89762ddd294948
- SHA256
  
  90dc5d6d2a6b8b4dc6b5f95c44d24b1b6e1916911b1b7a51dd97ed055156fddd
- SHA512
  
  69f9254f78f6ba09d456321cdc74dd74115debc5b91d4abf00cbf665d91ace2d1f4289ee0be9aa32a437b3d14d420b149e778a244c1478df59f3bc9a9571f085
Score

10^/10

evasion themida trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  BLTools 1.9 [CRACKED BY INJUAN]/Extreme.Net.dll
- Size
  
  121KB
- MD5
  
  f79f0e3a0361cac000e2d3553753cd68
- SHA1
  
  4314bcef76fddc9379a8f3a266b37d685d0adb79
- SHA256
  
  8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd
- SHA512
  
  c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355
Score

1^/10
behavioral5 behavioral6
- Target
  
  BLTools 1.9 [CRACKED BY INJUAN]/Ookii.Dialogs.Wpf.dll
- Size
  
  103KB
- MD5
  
  932ebb3f9e7113071c6a17818342b7cc
- SHA1
  
  9ce2d08bc3840632092325abcc8d842eeb8189d4
- SHA256
  
  285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5
- SHA512
  
  6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

evasionthemidatrojan

behavioral4

evasionthemidatrojan

behavioral5

behavioral6

behavioral7

behavioral8