e656431198544bfd87e1419866999321dbf84b40a5e8cad5ad498d3b2a5a831d | Triage

Sharing

General

Target

Iridium (1).rar
Size

21.2MB
Sample

230319-3ka9jscg3y
MD5

ef68de73baa7096f3f81d1f79432d596
SHA1

f06766cf513906141d3897e2d6a76ce0db152f12
SHA256

e656431198544bfd87e1419866999321dbf84b40a5e8cad5ad498d3b2a5a831d
SHA512

b9d86563394e06c7fc4ecae95d062ebc760220799abd9fe18c49abc9091a3b2a5b9d42b513d5321e40f1bc90c6becb48801dce3d158cd71f7d3d77c03f2f7556
SSDEEP

393216:V1xuJukOScyW7jwpKmgDOm5GRdh+SDO84xYfzWVXhW:NuJ1OSc1a3APUdh7O85fIxW

Score

9^/10

evasion themida trojan

Malware Config

Targets

- Target
  
  IridiumGhost.exe
- Size
  
  9.5MB
- MD5
  
  4d05b8f89db009f8e2002ac5fd19d174
- SHA1
  
  cb224c87d570a149612c7fe106ae07580c4cb4ca
- SHA256
  
  f0ba1267dc727dd403569559eeb65acf4634fed094a4c6e2ac7c5e3d5c4ea962
- SHA512
  
  a08f17d06548de621f3570127bedeafc4ae4a4eede5fd5aa530c822de3a9addddea5ddc068555e7cd82baa38c7d0c2d8a0cea06690c667dc2fa2ab800891aab0
- SSDEEP
  
  196608:3Z9H90i670uKZNGZfpIgQ2Tr4zR0s85toyMW7HnHaIRqUFYn:p9dMQuKZNu82Trc0s85tXd6+qUq
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  IridiumPatcher.exe
- Size
  
  5.7MB
- MD5
  
  3ede242cabdcb2e4c924cbe57bf0c98b
- SHA1
  
  5020f590ab691d6112fb9b59edeac682e2f8ccc3
- SHA256
  
  bc59a0885c8bb6c546dc0d24fdb11ed5455fda613211a7eefb78efa4cf7142d0
- SHA512
  
  0aada6083ebd5c61a7b31016eea34aa6fb22e5e009475e6a816364e0519cb3e0b754d265bb3bd36a81d8ee619a31f4fb9ed3337b915213dadad225abf8da21ae
- SSDEEP
  
  98304:kow72zizDt90qtSiolWp/FElnW4NMVfCfkQ9SMaM9295M8SHCr3GZwVQsbjRc6o8:0AinP0eSiolBzlcQHaiISirHBd2DWSHO
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  Kangaroo.dll
- Size
  
  6.3MB
- MD5
  
  2c1a6a4481ece15c16e1f98da6288e29
- SHA1
  
  d3c1360bd6dc217a70235ed20b93ce600b729169
- SHA256
  
  72941659f5942c154020278e5119727f1943daf60948a2bcb02b7c122b387fde
- SHA512
  
  efd2c91ce00284683bc38de6b5d3aab6ffd5fdc0b570a078d24d544a2607f54edc4824a9dcf72172308db4bc1a010226839b19ee2fa7fc0e7a748cbb49cfb358
- SSDEEP
  
  196608:vcGIMFuFXnzNkpzF0jLh+RRw9+tkYjHNhve:vc2F2jN4Wh+RI
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

evasionthemidatrojan

behavioral3

evasionthemidatrojan