Malware sandboxing report by Hatching Triage

General

Target

file.exe
Size

4MB
Sample

230125-red8gagf39
MD5

e20910b796fc1b4daa210ce625023d7d
SHA1

56fdaf4f2e7243c35f91e60ff0fb372c027cdd3f
SHA256

578b32f9bd3b8a0e79585e0160efa88ac127a9d28d3344aa7131061983d2bf0f
SHA512

c71985abf73be4e21ad426497cc238f2d80f7c76e269694d1ed0893e8eb148ab9b3382843aff5d47e5e8221d9d365fde88b847caca9efb887d99c0fd3edc4657
SSDEEP

98304:lAzL4t7P7CbM5zD6sILTjblMS0ugkKqRu/to5ZBHfKhBcR8gO:qX4ti4osI3jhMSNUcjHfKhBc1O

Score

10^/10

Malware Config

Targets

- Target
  
  file.exe
- Size
  
  4MB
- MD5
  
  e20910b796fc1b4daa210ce625023d7d
- SHA1
  
  56fdaf4f2e7243c35f91e60ff0fb372c027cdd3f
- SHA256
  
  578b32f9bd3b8a0e79585e0160efa88ac127a9d28d3344aa7131061983d2bf0f
- SHA512
  
  c71985abf73be4e21ad426497cc238f2d80f7c76e269694d1ed0893e8eb148ab9b3382843aff5d47e5e8221d9d365fde88b847caca9efb887d99c0fd3edc4657
- SSDEEP
  
  98304:lAzL4t7P7CbM5zD6sILTjblMS0ugkKqRu/to5ZBHfKhBcR8gO:qX4ti4osI3jhMSNUcjHfKhBc1O
Score

10^/10

privateloader discovery evasion loader spyware stealer themida trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Targets

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2