allcome | a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d | Triage

Submit
Reports

Overview

overview

Static

static

7

ef9029e808...67.exe

windows7-x64

ef9029e808...67.exe

windows10-2004-x64

Sharing

General

Target

ef9029e808dfd848d69f22259d632f67.exe
Size

3.3MB
Sample

220906-nyfnvsccf7
MD5

ef9029e808dfd848d69f22259d632f67
SHA1

865aad7739c3e98c9467b407fa031d5694baccf5
SHA256

a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d
SHA512

535fb3b98f1090a95be517a73b1d7be61b35b196fa7216e5326e68103380990068c0201b3320822275bea0c2ebd3fffb8154589e83be4ccfcd51b015266be493
SSDEEP

98304:3zg8EJGNcbiELH0k6inOMhtACfUqe2EhgQJg:3zgANcbiED0finOytnq5hgM

Score

10^/10

allcome evasion stealer themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ef9029e808dfd848d69f22259d632f67.exe

Resource

win7-20220812-en

allcome evasion stealer themida trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ef9029e808dfd848d69f22259d632f67.exe

Resource

win10v2004-20220812-en

allcome evasion stealer themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

+79889916188

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

89PjhdrngYjeSa8dFeg6q8Sz4BXdrLLP8H8z82eUhTNjPBpTYkr3o6fWnkqng9D5TRaPT4HafXwUTJqcPE8SsbHUK5PM2Qx

Targets

- Target
  
  ef9029e808dfd848d69f22259d632f67.exe
- Size
  
  3.3MB
- MD5
  
  ef9029e808dfd848d69f22259d632f67
- SHA1
  
  865aad7739c3e98c9467b407fa031d5694baccf5
- SHA256
  
  a7e29a0a274f353c1472741fb4db1881989011ae3d76a9904c78ab42ffa2a82d
- SHA512
  
  535fb3b98f1090a95be517a73b1d7be61b35b196fa7216e5326e68103380990068c0201b3320822275bea0c2ebd3fffb8154589e83be4ccfcd51b015266be493
- SSDEEP
  
  98304:3zg8EJGNcbiELH0k6inOMhtACfUqe2EhgQJg:3zgANcbiED0finOytnq5hgM
Score

10^/10

allcome evasion stealer themida trojan
- Allcome
  A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
  stealer allcome
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

allcomeevasionstealerthemidatrojan

behavioral2

allcomeevasionstealerthemidatrojan

© 2018-2024

Terms | Privacy