3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448 | Triage

Submit
Reports

Overview

overview

Static

static

7

bobux.exe

windows7-x64

bobux.exe

windows10-2004-x64

Sharing

General

Target

bobux.exe
Size

5.4MB
Sample

221005-r5vm5seghn
MD5

6afa9397a7cd80ffe2f8d30828269e36
SHA1

c7976bb175b4d26cc790f925280551a7fcecfff1
SHA256

3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448
SHA512

de139d2dd1d569b48b6bb79098ed0198771c3187ae0dae8171ab5a89287492711bd712eb432fb822128df0694820e97161a712ddc4e6dd264d2ec30b3b44b230
SSDEEP

98304:NxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:vV8ld98BlON2jnbNswvBXvowJgzl7GSO

Score

10^/10

agilenet evasion persistence themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bobux.exe

Resource

win7-20220901-en

agilenet evasion persistence themida trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

bobux.exe

Resource

win10v2004-20220812-en

agilenet evasion persistence themida trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  bobux.exe
- Size
  
  5.4MB
- MD5
  
  6afa9397a7cd80ffe2f8d30828269e36
- SHA1
  
  c7976bb175b4d26cc790f925280551a7fcecfff1
- SHA256
  
  3699750883e4c662d50fed7b6d16b8c515d52ad14edf54f6b7183d419e646448
- SHA512
  
  de139d2dd1d569b48b6bb79098ed0198771c3187ae0dae8171ab5a89287492711bd712eb432fb822128df0694820e97161a712ddc4e6dd264d2ec30b3b44b230
- SSDEEP
  
  98304:NxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fZm:vV8ld98BlON2jnbNswvBXvowJgzl7GSO
Score

10^/10

agilenet evasion persistence themida trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agilenetevasionpersistencethemidatrojan

behavioral2

agilenetevasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy