Overview

overview

9

Static

static

1

e39e047850...dc.exe

windows7-x64

9

e39e047850...dc.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e39e047850594b792efd9c8ad328c9c32e15c77e9b4576d1c664703c7dcc8fdc.zip

  • Size

    5.9MB

  • Sample

    230321-qpyt7ace8v

  • MD5

    228c8ad59f4c35de2db4670d2b73105a

  • SHA1

    34926b776b4be95426364aca21e463f5377f10e9

  • SHA256

    de10af846eec851b21deeabf06acfe2029a953121b7759e6af6380c5fc015f8b

  • SHA512

    7787d9c19b612495d133c2b3d6a458b04805f7137dba35c4fddb5c96ad6976812feabae0c1e8f9bd73a38423eea624e325cc6baa8bde1feb3be3a643e3d32b8d

  • SSDEEP

    98304:0vXY9VGYhsHf+cJTMz7/spKSIp5sBvD8YL0albAFGbhTaSrAMfz2vpk8OXGTMw3i:y4VZuHf+Wi70vD/LZrguIpkXXRNOxq2o

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      e39e047850594b792efd9c8ad328c9c32e15c77e9b4576d1c664703c7dcc8fdc.exe

    • Size

      6.3MB

    • MD5

      5e62ce2c758268030b2e673252c7c199

    • SHA1

      80963e2c068c9b75bec6214e817435cbba17bbe0

    • SHA256

      e39e047850594b792efd9c8ad328c9c32e15c77e9b4576d1c664703c7dcc8fdc

    • SHA512

      93493a9e5f89f616eb3449bbb41c9027e3df69af6250f121ec993e22250265a5a774d4d8a6f9d08a06129278a0c16434c5d28a73d751f25af78e2d5c02459eaa

    • SSDEEP

      98304:WI9ZCfZk3RIGgWhMIjVRr7SaB/JjNv+w3S+/KWpnMgcKrVuOtGTIDzO+kA6w2:WQoZ1zWhMIpBdJp+XGKinMg3u9MzeO2

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks