General

  • Target

    b9d635f3b9813943221249aa312ec50d.exe

  • Size

    6.3MB

  • Sample

    230319-rx1jesag9s

  • MD5

    b9d635f3b9813943221249aa312ec50d

  • SHA1

    27774bbdb9cc9d2f026533c3c36eee06d4d7908e

  • SHA256

    7fcd90faf86392f69e354b1d557f531c467636d995be118cc1b9dd20acd66848

  • SHA512

    a99ebfccd7b718e0e738a84fbedd5ce9003f2ceb38ca82604516459a143affe3851f24e6303013ad896f1ece0579a89aefce8aca5e5f4bb9e0cf657ddb8d1d48

  • SSDEEP

    196608:sxeUbegYe8hMuBHvNoLlG3g/5v1w+P6X+:seUbe5hVvyLHhv36X

Malware Config

Targets

    • Target

      b9d635f3b9813943221249aa312ec50d.exe

    • Size

      6.3MB

    • MD5

      b9d635f3b9813943221249aa312ec50d

    • SHA1

      27774bbdb9cc9d2f026533c3c36eee06d4d7908e

    • SHA256

      7fcd90faf86392f69e354b1d557f531c467636d995be118cc1b9dd20acd66848

    • SHA512

      a99ebfccd7b718e0e738a84fbedd5ce9003f2ceb38ca82604516459a143affe3851f24e6303013ad896f1ece0579a89aefce8aca5e5f4bb9e0cf657ddb8d1d48

    • SSDEEP

      196608:sxeUbegYe8hMuBHvNoLlG3g/5v1w+P6X+:seUbe5hVvyLHhv36X

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Tasks