General

  • Target

    ImGL.exe

  • Size

    17.3MB

  • Sample

    230314-3eslmscc4w

  • MD5

    8e29c41a5c3c262532ad1bf51eef3825

  • SHA1

    4e866a3606e7162bc73c6d4704019471affc0146

  • SHA256

    e236c116a40f04fd4e2a76bc3429032344619b5919c51138a1cc4372c8b383d7

  • SHA512

    063b384af1cb53822337d3870a2c67ad376cde7d9748b7bbec123d8e0a2edf50035cd2f7e6a31924e5bf3d0ed07033c86ae4f588227149c39b71420ba8db7533

  • SSDEEP

    393216:fL1oDJRpoiqIl4TA81XZVPtj1PLB3xTpyC53xVu7vHhqBa4Cs:fhQmUOM8RZdPPF3tPpHCpqBa4C

Malware Config

Targets

    • Target

      ImGL.exe

    • Size

      17.3MB

    • MD5

      8e29c41a5c3c262532ad1bf51eef3825

    • SHA1

      4e866a3606e7162bc73c6d4704019471affc0146

    • SHA256

      e236c116a40f04fd4e2a76bc3429032344619b5919c51138a1cc4372c8b383d7

    • SHA512

      063b384af1cb53822337d3870a2c67ad376cde7d9748b7bbec123d8e0a2edf50035cd2f7e6a31924e5bf3d0ed07033c86ae4f588227149c39b71420ba8db7533

    • SSDEEP

      393216:fL1oDJRpoiqIl4TA81XZVPtj1PLB3xTpyC53xVu7vHhqBa4Cs:fhQmUOM8RZdPPF3tPpHCpqBa4C

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks