Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

BitlordSetup.exe
Size

2MB
Sample

221228-ledztaaa94
MD5

bb7701d6da492352bb2ac2c86462d253
SHA1

339afb386d5667ce36528de65d6809582b9697b9
SHA256

5234cd925873feff87965216e88adebaa7b9349383906bbd4a7c471f4023b6ba
SHA512

6321c10d09f76fbc76761f3d52bc1892e3687d9cf3c49c3dc392587ebce54ba58eafde58ff5c9b707dfa9007ef4bf01dcbd12bd3cf8624c406a6548037054028
SSDEEP

49152:/qe3f6ZL+H98AHaCfu6TfO6VWqUvQaydU9VIL7pR:iSi5E9vBuyVZUqUVIL1R

Score

10^/10

coreentity discovery persistence

Malware Config

Targets

- Target
  
  BitlordSetup.exe
- Size
  
  2MB
- MD5
  
  bb7701d6da492352bb2ac2c86462d253
- SHA1
  
  339afb386d5667ce36528de65d6809582b9697b9
- SHA256
  
  5234cd925873feff87965216e88adebaa7b9349383906bbd4a7c471f4023b6ba
- SHA512
  
  6321c10d09f76fbc76761f3d52bc1892e3687d9cf3c49c3dc392587ebce54ba58eafde58ff5c9b707dfa9007ef4bf01dcbd12bd3cf8624c406a6548037054028
- SSDEEP
  
  49152:/qe3f6ZL+H98AHaCfu6TfO6VWqUvQaydU9VIL7pR:iSi5E9vBuyVZUqUVIL1R
Score

10^/10

coreentity discovery persistence
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Install Root Certificate

Discovery

Query Registry

T1012

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

New Service

T1050

Privilege Escalation

Tasks

static1

behavioral1

behavioral2

coreentitydiscoverypersistence