General

  • Target

    dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5

  • Size

    6MB

  • Sample

    230318-hzsf6abe97

  • MD5

    9468ee14458c641df58cc7cee92e7719

  • SHA1

    d2586659aebfbe2d873bba54ba29bd7920c72994

  • SHA256

    dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5

  • SHA512

    bab5a67ffe9b133f0f84c1082193ada89873463d6aac5f001d303edfb0c58a4cf9207c24e8594ac18a843003d49164ded57413b2acc5640192f651650f7d3ccf

  • SSDEEP

    196608:WDlnTW4qWp/q4O6bTLICybW/RiuDIuUf7EhLTrF6f6:2dTFqWpd7LXJzDHU/6

Malware Config

Targets

    • Target

      dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5

    • Size

      6MB

    • MD5

      9468ee14458c641df58cc7cee92e7719

    • SHA1

      d2586659aebfbe2d873bba54ba29bd7920c72994

    • SHA256

      dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5

    • SHA512

      bab5a67ffe9b133f0f84c1082193ada89873463d6aac5f001d303edfb0c58a4cf9207c24e8594ac18a843003d49164ded57413b2acc5640192f651650f7d3ccf

    • SSDEEP

      196608:WDlnTW4qWp/q4O6bTLICybW/RiuDIuUf7EhLTrF6f6:2dTFqWpd7LXJzDHU/6

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Tasks