Overview

overview

9

Static

static

1

52a70a8092...2c.exe

windows7-x64

7

52a70a8092...2c.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    52a70a809294561f69bb7016818e295779d8e00c797097cf77d534ed3a07dd2c.zip

  • Size

    7.2MB

  • Sample

    230321-qpxbcsae53

  • MD5

    031672bfb36f87811e3a900ae22f6722

  • SHA1

    93b382fbd084b12adf4409ab2639ed1ed9e90d8b

  • SHA256

    bd5203152688558808ba7268f9282d8479a080eb7d20430043ee04376ce5ec7c

  • SHA512

    11e1bfb2f3c13232fdba5efe175a02a174164c467d28725aa78fe7e7a603243091c216ed7ca4e9accf4481347b6151aadf51d7b8eee9f577a38373f77fbc9e59

  • SSDEEP

    196608:M5FCoejg8WWYIB6CIduUs91KS0oHAOdcqxjaPzYl8hvg5wEGq:AFVejuWrBBIdi94kuDo55

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      52a70a809294561f69bb7016818e295779d8e00c797097cf77d534ed3a07dd2c.exe

    • Size

      7.5MB

    • MD5

      d32cd492ab44503128b89ba0ae6778cb

    • SHA1

      78c4d59a96f7e025fa7ebe80030fd9bb4547d21a

    • SHA256

      52a70a809294561f69bb7016818e295779d8e00c797097cf77d534ed3a07dd2c

    • SHA512

      028b44c1eea7142e8f50d17d3de28030255689ff53cc4ef9dc505fb6feef649edbb1a59e8796ce84222e94d370b7ddc9d1aee3baff946e4862529d310641f64e

    • SSDEEP

      196608:utjk/L5eZGBmm5t+fYOBaBMVrLWD+o88Vl:qxGBpIf9jVWD+o8sl

    Score
    9/10
    discoveryspywarestealerevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks