Overview

overview

9

Static

static

1

7d23a41da6...3b.exe

windows7-x64

7

7d23a41da6...3b.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7d23a41da6b0a4c455aed086067e7eb764669ce4e567b9b11cb97588eccb903b.zip

  • Size

    6.4MB

  • Sample

    230321-rxr72sdb8v

  • MD5

    b54a01d322cf4287d7dfaecf7638a220

  • SHA1

    c05bbc75b84f5e4f9b42c6999b83d488fe079186

  • SHA256

    e4ca23d07c3a6c7185aa0cbe28ea568f84918dc6c472112f0da076e86384ad1f

  • SHA512

    433545f5fd192eab452db37c91c5266f4d4a9d1405d5241da717c6d061cdae224a0c9cf45393d0e14ea6bec056a017760b524d4b4e81943051dcee1e2a768cf9

  • SSDEEP

    98304:F2rz1Z3nAGHprpb+2jDJpfHIspp8d3fpod3gSmT9e4VJiiPLK8MGcRy7Gwhsf5Xg:YHXdHpo2JBJIRod3sNqijK0tsf5JKm8L

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Targets

    • Target

      7d23a41da6b0a4c455aed086067e7eb764669ce4e567b9b11cb97588eccb903b.exe

    • Size

      6.7MB

    • MD5

      da503ddb68a25aa665e0e15855ef4012

    • SHA1

      0c016eb8eb016a1d0d36e1dc338e2766d40c7464

    • SHA256

      7d23a41da6b0a4c455aed086067e7eb764669ce4e567b9b11cb97588eccb903b

    • SHA512

      eff07f20f8d9ba9b337220a4143d61eeabee58a3788f796563581e7ad5dcd6a297124987ebab8675752fd3f0a3cb14fbd29d7dc9ae568aa866ce3be8734fbc47

    • SSDEEP

      98304:fPTCG6TDhi5vXL1tnX5Iz3OIyN5RRZc2B9iv/BE645Z5rhnqrKUIqf5pQNVPoPY:f7CG6TQZLzkeIcRZvBQvq6erFQKqLQ3

    Score
    9/10
    discoveryspywarestealerevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks