fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be | Triage

Submit
Reports

Overview

overview

9

Static

static

1

fa1196aa39...be.exe

windows7-x64

8

fa1196aa39...be.exe

windows10-2004-x64

9

Sharing

General

Target

fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be
Size

272KB
Sample

221123-m5wg8afh46
MD5

ec7b3c41c1167a89835f604eeeb67171
SHA1

b6488a044aaf1b77d41f054d676735e70c07a38f
SHA256

fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be
SHA512

00fceda18d4b4f3fcfd0891b5d68fd69086e8de2af0d20b8b444f9b0f61c1611f6a78a9cb068c3c4f998a5b5f48ee1b6581165c56e57b65634589e501afd5d29
SSDEEP

6144:Ue34zYqHkguRuu0Ay4MubunpunBkguRuu0Ay4Mu7:cDkuupusBkuup7

Score

9^/10

evasion persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be.exe

Resource

win7-20220812-en

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be.exe

Resource

win10v2004-20220812-en

evasion persistence trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be
- Size
  
  272KB
- MD5
  
  ec7b3c41c1167a89835f604eeeb67171
- SHA1
  
  b6488a044aaf1b77d41f054d676735e70c07a38f
- SHA256
  
  fa1196aa3971c2f8df6d4d229b938e85944c6a62df193034003e6d03f01092be
- SHA512
  
  00fceda18d4b4f3fcfd0891b5d68fd69086e8de2af0d20b8b444f9b0f61c1611f6a78a9cb068c3c4f998a5b5f48ee1b6581165c56e57b65634589e501afd5d29
- SSDEEP
  
  6144:Ue34zYqHkguRuu0Ay4MubunpunBkguRuu0Ay4Mu7:cDkuupusBkuup7
Score

9^/10

persistence evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

evasionpersistencetrojan

© 2018-2024

Terms | Privacy