Overview

overview

10

Static

static

7

e3ecfadcc1...d1.exe

windows7-x64

10

e3ecfadcc1...d1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1.zip

  • Size

    4.0MB

  • Sample

    230321-r3g92abd44

  • MD5

    73a3098f8d9647588f587c89f5d4a703

  • SHA1

    152900828f8ecd321810627b17fff27d7b9f6a7f

  • SHA256

    66aeb66b7ab30273157a2e62a66e346d39ba2589ba13db435875cd10fd94da0b

  • SHA512

    fb720eb96b004ce54207dcd860c3df114913a206fc249ceccc57452945fb5250ed5683851bb0281e66492c1289376534a1619f5dd464f0115120fd6cef614fae

  • SSDEEP

    98304:Jts6Xs31dJ9+Wk4LyDLzTFF8eIcUngqX3cg5g:jjsb2ULKFavfgqXR5g

Score
10/10
privateloaderdiscoveryevasionloaderspywarestealerthemidatrojanvmprotect

Malware Config

Targets

    • Target

      e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1.exe

    • Size

      6.0MB

    • MD5

      434e131214711a082fb458ddf1d18c2a

    • SHA1

      cdc9c56159c24492c4f5f8f968e9b5ab16171bda

    • SHA256

      e3ecfadcc199765a2ad369615ec17b5b95cb0f5a29cc45eb2e8d2e9d575807d1

    • SHA512

      60379db97207327e268a0417c1c9bf33f2e23ea946cb92b9bf5d96c119e9fd80ef19afcda2a571b1c0a3bb2b949e8eb2b7c3e9af0d8dddac8aded505745a60ee

    • SSDEEP

      98304:2wb0bWHT4Ld9bHpNSFwjfEgNCdkkBQEiCgXyh6246:Lo8q5vsw1N0BTjj

    Score
    10/10
    privateloaderdiscoveryevasionloaderspywarestealerthemidatrojanvmprotect

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks