Overview

overview

9

Static

static

SAT-202204...DF.msi

windows7-x64

9

SAT-202204...DF.msi

windows10-2004-x64

9

Resubmissions

05-01-2023 22:52

230105-2tv5mshb5z 9

05-01-2023 20:34

230105-zcsl3sdb79 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.zip

  • Size

    5.9MB

  • Sample

    230105-2tv5mshb5z

  • MD5

    4e2cb83b7c20ce4395b75db145437ebc

  • SHA1

    bc95eb4099b4f1d85d4c6fb3068469e3af23dfd9

  • SHA256

    362a8ff401bb368ad431cc777e0be289ae267e47fbcc75b7d1d44d1062a35a55

  • SHA512

    bfd1358ef96b838df324d6d6c0fce0544c6226a93a66e413a01da4d2b105e8e9da26ba7b0d00cef1a158e6f11932f3c50ae26f8a13bbacd4d95f1f2dbb937814

  • SSDEEP

    98304:l11UrOWXfSUR/l7pLUum29eiZxT8tEG3mQGkDewUK7pReZ7p1d1dZ8ezUXsfN0:l1/vo/l6um+eiZt8taopReP1dZfYXs0

Score
9/10
collectionevasionpersistencespywarestealerthemidatrojan

Malware Config

Targets

    • Target

      SAT-20220411-89287719adm-Reporte_Estado_Planilla_PDF.msi

    • Size

      6.6MB

    • MD5

      6d22f7d0d542224ba270aee85ed8b8d4

    • SHA1

      97d45fe9391164cf6cee64c5a3c93632c491eb07

    • SHA256

      4ad88b6a825af9e1eba56356bc13c02c4e49e3af64ff0eb2d09c7aeefe17e1ed

    • SHA512

      b019cdef7118a13097b22efdb8e316bc1107b7288c63415a4a173b85f7e2b28b98cf73a3df8f6058131fa9db3be341ed11ca56bf4db02e26300fd0c98f27c6ad

    • SSDEEP

      196608:V60PcuP3qU02+cr7J2F9J7htUZnb1H6d/:VF13qo+W2rtenb56Z

    Score
    9/10
    collectionevasionpersistencespywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks