b1e3d0fbc99637ea6dd51c1041fdd5f315de0582382c00b8fbf160cd748bbc17 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

2e801601f6...5d.exe

windows7-x64

7

2e801601f6...5d.exe

windows10-2004-x64

9

Sharing

General

Target

2e801601f6fbfc97bb5a991bd4a4b92ea591eabe70d7d86a6eac26549fcfab5d.zip
Size

247KB
Sample

220910-w45tyaaeb2
MD5

7ffc8aac9a585e55a53b73077e3912cc
SHA1

c7ea5824df4fbe52e4d58357f4c7923c8e8f8420
SHA256

b1e3d0fbc99637ea6dd51c1041fdd5f315de0582382c00b8fbf160cd748bbc17
SHA512

695a5a32c312369a47bcad52747b841be85440142a0d47e9604fbfbb468363179e8261b59901c6af3a8f6660c2ce9b097681698a0626a9e246f259281c4f3904
SSDEEP

6144:wtXmcRhC8tLQPWEsW742huAjVH52KSQph+XHfKu2Un1mTIZjU:wtmSnuaW7NFR52KSQv+h1GJ

Score

9^/10

evasion themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

2e801601f6fbfc97bb5a991bd4a4b92ea591eabe70d7d86a6eac26549fcfab5d.exe

Resource

win7-20220901-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

2e801601f6fbfc97bb5a991bd4a4b92ea591eabe70d7d86a6eac26549fcfab5d.exe

Resource

win10v2004-20220812-en

evasion themida trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  2e801601f6fbfc97bb5a991bd4a4b92ea591eabe70d7d86a6eac26549fcfab5d
- Size
  
  365KB
- MD5
  
  6e9fdb1ac3859e908475bc69b239435a
- SHA1
  
  251dcbd7385c20b02a7a9dfce1270b834c5d4659
- SHA256
  
  2e801601f6fbfc97bb5a991bd4a4b92ea591eabe70d7d86a6eac26549fcfab5d
- SHA512
  
  2c5b2ee91a4347f477c7ff802b1b562f548a8bc45c08fde06ec359c221f07f921291e46bf639377ef5cf20f7581e1d40b0e008c26ea89812f05ea73565093bc5
- SSDEEP
  
  6144:ecTKOC7+0H3uMAKbUQ8qfH4umdyJRVP+C5XYo9zZ1FKGUOUTE6qJWoDU0v+Dudrr:eWqH3D3bUQ8qfH4byJRV2CNYYBKGUOWC
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

evasionthemidatrojan

© 2018-2025

Terms | Privacy