General

  • Target

    af38c72543a9c259788f05857235dad3dcb18c527e1093188638ee2aeb188900

  • Size

    5.9MB

  • Sample

    221130-st2sraca38

  • MD5

    5579238cd6518660b2e680ca079425d1

  • SHA1

    65f113aa7bf1365be9e27b90547486fa9841f0c1

  • SHA256

    af38c72543a9c259788f05857235dad3dcb18c527e1093188638ee2aeb188900

  • SHA512

    6fcb8d01b1f65b04a34e74a1623601c8a23d8fe8a9325989db8e2ddf845e7ac36d11aaf904d3d4f5a574e1739f49db4eb1a90a5433e0c3a908cda1bb44a85288

  • SSDEEP

    98304:Q6SdxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN4:IV8ld98BlON2jnbNswvBXvowJgzl7GSO

Malware Config

Targets

    • Target

      af38c72543a9c259788f05857235dad3dcb18c527e1093188638ee2aeb188900

    • Size

      5.9MB

    • MD5

      5579238cd6518660b2e680ca079425d1

    • SHA1

      65f113aa7bf1365be9e27b90547486fa9841f0c1

    • SHA256

      af38c72543a9c259788f05857235dad3dcb18c527e1093188638ee2aeb188900

    • SHA512

      6fcb8d01b1f65b04a34e74a1623601c8a23d8fe8a9325989db8e2ddf845e7ac36d11aaf904d3d4f5a574e1739f49db4eb1a90a5433e0c3a908cda1bb44a85288

    • SSDEEP

      98304:Q6SdxV6zRhld9E1BlYb9uto2jgrGeweoSYp2prwvLWaNFXvow17IugzlHbGSZBN4:IV8ld98BlON2jnbNswvBXvowJgzl7GSO

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks