ca718d5438efb6c9d9d1ae956d866531f5bd0290c96e87654ef62d34311efe56 | Triage

Submit
Reports

Overview

overview

Static

static

7

babux3.0.exe

windows7-x64

babux3.0.exe

windows10-2004-x64

Sharing

General

Target

babux3.0.exe
Size

5.4MB
Sample

221005-r5vyxaeghq
MD5

98dfc3e7c78d4a7decdc8ec0f37324ae
SHA1

d9913ddccb39d1f6dda99cdea7094c965cd58742
SHA256

ca718d5438efb6c9d9d1ae956d866531f5bd0290c96e87654ef62d34311efe56
SHA512

00323ea1f2ff0fe032a9eadf1a1d769a2e7ee78e07b4238bfb952cf4c16b7d7181027d210e3dd6be59ff23507dfd2a948d95eee8012b9e5caa36b1cca18b4e9b
SSDEEP

98304:QjxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fc:EV8ld98BlON2jnbNswvBXvowJgzl7GSO

Score

10^/10

agilenet evasion persistence themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

babux3.0.exe

Resource

win7-20220901-en

agilenet evasion persistence themida trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

babux3.0.exe

Resource

win10v2004-20220812-en

agilenet evasion persistence themida trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  babux3.0.exe
- Size
  
  5.4MB
- MD5
  
  98dfc3e7c78d4a7decdc8ec0f37324ae
- SHA1
  
  d9913ddccb39d1f6dda99cdea7094c965cd58742
- SHA256
  
  ca718d5438efb6c9d9d1ae956d866531f5bd0290c96e87654ef62d34311efe56
- SHA512
  
  00323ea1f2ff0fe032a9eadf1a1d769a2e7ee78e07b4238bfb952cf4c16b7d7181027d210e3dd6be59ff23507dfd2a948d95eee8012b9e5caa36b1cca18b4e9b
- SSDEEP
  
  98304:QjxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fc:EV8ld98BlON2jnbNswvBXvowJgzl7GSO
Score

10^/10

agilenet evasion persistence themida trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agilenetevasionpersistencethemidatrojan

behavioral2

agilenetevasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy