Overview

overview

10

Static

static

7

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Install.zip

  • Size

    7.0MB

  • Sample

    230202-py4alagc82

  • MD5

    f1026d264acd9f45899e516cb79898c6

  • SHA1

    99c6cf73ad52d372a9830f1f9a0c658c41c8b2e3

  • SHA256

    e7fcce1e5f3d665159c7db8f26d0d801e6c06e61fe9fb56a02c1d511c27ada9d

  • SHA512

    32b327e8a35933bf9f206c7ca4ef96b22ec3752cb47aea88559e460bb74f27a056e79272deb2a0ab628242ab44f2e7d5e0470c0312add277f05523a511abffcb

  • SSDEEP

    98304:WYLBYs7pNyvuVUO1GUpNQNDbRJrtn3NFu4rQC0gANti2qJtFFSQtD6WZchgYejq:ZZ5CO1ToN37t3N50/kvF5yg2

Score
10/10
privateloaderevasionloaderspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      Install.exe

    • Size

      684.7MB

    • MD5

      7b1891c680f6ed2164ba0e1111685e59

    • SHA1

      6edc16a653d8386503c85b8d6808fe23cff4b8d4

    • SHA256

      80b627c3ba8a4f128f7b2e9a06988a95e6db084f29c66fb43ca3491d4d847fb8

    • SHA512

      3e3496a6cd4990ba69613cb33d889513f3a08cde6af6b3946070f58f6e2bb01c4014236200dfdd9c943065beb2d4d8d42c5b3e902af80187c460bd6ffe80cc6f

    • SSDEEP

      196608:ZKXGveJUwY3JEnr0AZF5OMdyBLMmkKJDACfjttklWe:ZKXPEanYAZqMoAYMCfjj/

    Score
    10/10
    privateloaderevasionloaderspywarestealerthemidatrojan

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks