Malware sandboxing report by Hatching Triage

General

Target

file.exe
Size

4MB
Sample

230127-nvkhmsac96
MD5

ba8169b60bd162597bc91a492acbe9f0
SHA1

fe39cd7badbc1740c686648f57083eb666ad8df8
SHA256

1290f9754a269d7cf6c4be336b347e0012aede4df4fee545eed7426efddc1c4d
SHA512

3939b924cdc72f77555d5f71c5767b10b0dbf52d6f4bdcab5b2e6d87402a89a3899c4d85e537a86ad1346dbfb0c47e05e5d3a96a1d6dc7be01c644627cdc1258
SSDEEP

98304:ohbbxS7P7CbM5zD6sILTjblMS0uQvEgKNDDHoY3gnN9lMRmtbK3cNA:ohoi4osI3jhMSNQsgkDLoYwnFymRfNA

Score

10^/10

Malware Config

Targets

- Target
  
  file.exe
- Size
  
  4MB
- MD5
  
  ba8169b60bd162597bc91a492acbe9f0
- SHA1
  
  fe39cd7badbc1740c686648f57083eb666ad8df8
- SHA256
  
  1290f9754a269d7cf6c4be336b347e0012aede4df4fee545eed7426efddc1c4d
- SHA512
  
  3939b924cdc72f77555d5f71c5767b10b0dbf52d6f4bdcab5b2e6d87402a89a3899c4d85e537a86ad1346dbfb0c47e05e5d3a96a1d6dc7be01c644627cdc1258
- SSDEEP
  
  98304:ohbbxS7P7CbM5zD6sILTjblMS0uQvEgKNDDHoY3gnN9lMRmtbK3cNA:ohoi4osI3jhMSNQsgkDLoYwnFymRfNA
Score

10^/10

privateloader discovery evasion loader spyware stealer themida trojan
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Targets

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2