Overview

overview

10

Static

static

7

DiscordSetup.exe

windows7-x64

9

DiscordSetup.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DiscordSetup.exe

  • Size

    6.0MB

  • Sample

    221012-kr2e7sdah7

  • MD5

    0906bfbcac00c26b080d3ba4f4542579

  • SHA1

    eca76f73d94d388b51d3b5f97525ab49fb47f8c6

  • SHA256

    5081dcd1a166a86ae2915ffa8e85c0d926699443a232bb9eb1d62ff7b94626d1

  • SHA512

    2640ba2765afeef95c753fb0ec9222717fa3e228a93e34e4ff402dc173fc575945da0b35ecc59aa489051c876d77e4c2bf14abf48ac57831ae044d6b9e33a527

  • SSDEEP

    98304:TlxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fe:TnV8ld98BlON2jnbNswvBXvowJgzl7Gr

Score
10/10
agilenetevasionransomwarethemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\desktop\README.txt

Ransom Note
-------ALL YOUR FILES HAS BEEN ENCRYPTED------- All your documents, photos, databases and other important files have been encrypted. Any attempts to restore your files with the third party software will be fatal for your files! The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program you have to make a deposit of 1BTC to the following address : 16Eoi7psqDG1PuXtaodK3bk5bsFR6drnT5 After the payment has been made your files will be decrypted. For more information, Please contact emotet.gang@protonmail.com
Emails

emotet.gang@protonmail.com

Wallets

16Eoi7psqDG1PuXtaodK3bk5bsFR6drnT5

Targets

    • Target

      DiscordSetup.exe

    • Size

      6.0MB

    • MD5

      0906bfbcac00c26b080d3ba4f4542579

    • SHA1

      eca76f73d94d388b51d3b5f97525ab49fb47f8c6

    • SHA256

      5081dcd1a166a86ae2915ffa8e85c0d926699443a232bb9eb1d62ff7b94626d1

    • SHA512

      2640ba2765afeef95c753fb0ec9222717fa3e228a93e34e4ff402dc173fc575945da0b35ecc59aa489051c876d77e4c2bf14abf48ac57831ae044d6b9e33a527

    • SSDEEP

      98304:TlxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN7fe:TnV8ld98BlON2jnbNswvBXvowJgzl7Gr

    Score
    10/10
    agilenetevasionthemidatrojanransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks