Extracted

• • Target

    New WinRAR ZIP archive.zip

  • Size

    23.3MB

  • MD5

    061875ef25c5aae8f11daa282b89e2a5

  • SHA1

    3e281c48ae8f10761ff2ec0d8735e615b315e796

  • SHA256

    ef06baf5e993b383ff6606608bf3ead3fb66748017fd4e1ca97acb25f08c70eb

  • SHA512

    237197e7f99636ee0e4c4b7312c8f92a93d4bbf5c0f4ebfa91ae2f39d2611d6ad81b7e4a0c742d91b0141a37befadd11cc382b0b7ab0aa21d8d6bb90ecf6f49a

  • SSDEEP

    393216:fiKIT1+eg8gucGB7m2m9UujapA0zhIzKGaItvd0TPY1lHcYxc/U4Pl51Zb2iM/Ia:fiKIh+egO1mXFO3tIzK6eDImYxc/U4fu

  Score

  10^/10

  agilenetevasionthemida

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2