Overview

overview

9

Static

static

1

23e3550cb4...c1.exe

windows7-x64

9

23e3550cb4...c1.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23e3550cb43e9362251d56005e3c961c426d8e065ff2f2123f457e217415f6c1.zip

  • Size

    6.4MB

  • Sample

    230321-rxqn8adb71

  • MD5

    747a31043d4d4e4fabeec141b52cd73b

  • SHA1

    68bb27da7b6f11ac8db6ecf986198ad99dc471f3

  • SHA256

    d50498707804630a79d5930400dec046a9b53fab1cffb1c332bb2b0fa6920113

  • SHA512

    442ce7f456830a6cb63753f639cd6ccaae20b442cc1905a21c175983525264a573bb8e883e85590cedd221faa7aa8fdc490e1acdd8a17858619948bdd35cd4dd

  • SSDEEP

    98304:QCPt/mSiURgQ3UoLXqRL67miuxDK9ittMa1lQVlq8Uq9Hyr4lJ8eUEK22zXr8zCV:3PdGQkQB7wgifLniFA28lV2Gg+Dpv

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      23e3550cb43e9362251d56005e3c961c426d8e065ff2f2123f457e217415f6c1.exe

    • Size

      6.8MB

    • MD5

      ca6b1b3b00d1bdccb7cc73255bc97329

    • SHA1

      88923d5bf5f29cab5fe3ac66459bc94d709b06a1

    • SHA256

      23e3550cb43e9362251d56005e3c961c426d8e065ff2f2123f457e217415f6c1

    • SHA512

      fd92162cb9fc5f0a22e25b17cf9386034121af061b821531823292778978f7f44c2e51a7eadc07e902560ec8cffd389a40dd32649ffe3782fbf956dc293224b3

    • SSDEEP

      196608:V09b1yxhIsD1xLyVUZIBZjUQHQ8dq9XvjUQ:V09bsBvy2GjeV

    Score
    9/10
    discoveryevasionspywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks