f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db

Sharing

Copy URL

Twitter E-mail

General

Target

Meta_Unban.zip
Size

13.4MB
Sample

230322-fgkmgseh76
MD5

9365a9dd67b6006032ed868c1c4396c1
SHA1

667f05fc506d6e40c1736b0d1074c17cb55fa992
SHA256

f7f336955fa601fcd9ecb0e30911e6543882b2027dcbd27ac307d25fabd342db
SHA512

03392ef21da3a416629cbd19becaa8800066d45a6633fc6e58b7755bb0c3a0bb674170a8ca1fd7669c1aa3de93ebe747f8e7f7aa49175fda5b20267221737e37
SSDEEP

393216:KN9lo2N0xqij84C+vJp2/97Uz0eZsaBG+ltbN35PurePwJIZl:Kto2uL84C+vJp2/97xeugGkbN35GrZJY

Score

9^/10

Malware Config

Targets

- Target
  
  Meta Unban/Cleaners/AppleCleaner.exe
- Size
  
  3.6MB
- MD5
  
  da2176757b2fead6539243b42057cb3c
- SHA1
  
  e14195bd4066e90c821caabd6ca63a173c1ca802
- SHA256
  
  1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
- SHA512
  
  b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
- SSDEEP
  
  98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Meta Unban/Cleaners/AppleS5-DEL.exe
- Size
  
  3.1MB
- MD5
  
  6af7ea6d60309e7a05339a72accc2074
- SHA1
  
  1ccfcccae4a481c29c8b142715a9dee070918df9
- SHA256
  
  eb8302fbd0a3eda7620c0af1728a5d151afe1648d07525862c3701fc34c36d63
- SHA512
  
  bd5e87af04689d7ba11f4d08dae3396de3260d0af8d5813a664bce4b4105f1721b2cbddfc3c8bfb1013f357581b2841790ae523213fa5487c9b39b12198bdc2d
- SSDEEP
  
  49152:WMn54uFpQJqpleSBtthqtwRTJP8fOa9pu75KEpIj4ZVCbshPW6G9VSpnZ:AJmeqt31qOaPIUEnbOePWv3gZ
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Meta Unban/Cleaners/BadwareCleaner.exe
- Size
  
  3.3MB
- MD5
  
  5f876b340b56f98e820816ec05e56d34
- SHA1
  
  3bcdb73f1672e21776cf0ce0c96c8d5496f91586
- SHA256
  
  08cf4a012c0aab62dc068e7a20fd1582f215f927c4185481da60ada9b636d282
- SHA512
  
  52497f6e6235da94dcfd84570df876905102e60b5ef030a6f445649c7b789574b09794a47640c27dc4d78fea0efd67cf1578532c8112ae24057da06091901cb9
- SSDEEP
  
  49152:kKtU2HL/scLu2asJ5RGCBF1hdgKtS5jwiCmNAlNsYmYmWA5IxfRU2Sph0afojHBX:BtqfsrgqSKA5jJCuAluvWA6fUD+0oB
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5 behavioral6
- Target
  
  Meta Unban/Cleaners/BadwareDeepCleaner.exe
- Size
  
  771KB
- MD5
  
  344806d69d5895c4a178cb32278ca18f
- SHA1
  
  dac2dee6f31fe824cc639ccde87be0c83687e1a3
- SHA256
  
  5e7647b583e649e29af7662c858cac16041a8088e6f5deffa6f1d0148f460476
- SHA512
  
  2377db2048e1aeaea71b79d2fdf2090789c7c5d73cf0e02727e7c7ac6d9b024e6bcb4b40744bb5dd8166620e6a735b60c6cf7f3fccb39e27c309f988351c71fd
- SSDEEP
  
  24576:PP+pvZyI9oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JPQIFfUnI8M:X+pxNoxlj1CBMeIFjKuQdGhSaApNrWS0
Score

8^/10

evasion spyware stealer
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  Meta Unban/Cleaners/EventCleaner.exe
- Size
  
  219KB
- MD5
  
  9353ed7c3ba8e2417ce2664ae7afac16
- SHA1
  
  05699a2a2792795db1d8f59273172ad80bdc8b06
- SHA256
  
  069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628
- SHA512
  
  cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262
- SSDEEP
  
  6144:Qtzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SmDqzW:QtzE5elwLz9TrVeW
Score

9^/10

evasion ransomware
- Clears Windows event logs
  evasion ransomware
behavioral10 behavioral9
- Target
  
  Meta Unban/Cleaners/Fivem-Cleaner.bat
- Size
  
  1KB
- MD5
  
  74e7b9574aea7d121519ceaa8f5cb522
- SHA1
  
  97b634ef75ce87383ec4d5344e84e7abda65a523
- SHA256
  
  2e4462f3d686ccfff602b779941ff385144ed683d638b2ed49d552f88df88639
- SHA512
  
  a7dec954de38bb44478c0cec51fdb111f98ecd02587dd25dfb46a641cdc3c95554985216d5dff8cc81a077c2d1808061e033a4a30084d948226917c4ed98913a
Score

8^/10

evasion
- Drops file in Drivers directory
- Stops running service(s)
  evasion
behavioral11 behavioral12
- Target
  
  Meta Unban/Cleaners/FortniteCleaner.bat
- Size
  
  1.5MB
- MD5
  
  2429db21a224c48fa6b17e55a6762328
- SHA1
  
  f86eb0c2de25e8970add83b66253d3f18b0994e1
- SHA256
  
  365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778
- SHA512
  
  0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23
- SSDEEP
  
  49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b
Score

1^/10
behavioral13 behavioral14
- Target
  
  Meta Unban/Cleaners/NXTcleaner.exe
- Size
  
  3.2MB
- MD5
  
  644399a0aff07bd4f7dc1eb5aa5c0236
- SHA1
  
  243f1f7bb95af8d3c44a270772f408c6febb06af
- SHA256
  
  5d101b2efae1e9390ac98e014a05d54338ec45cd73ff5dd70842877910f7b758
- SHA512
  
  73db539182c67d18b4e491966672876054cdeaae9d5ac024f1991a0551aea74867d9f1df7487655a5c9089553b967c09f558b02e33ec0cc015b6587fd5eb2508
- SSDEEP
  
  49152:MVmDUcyg2ImpoHJSt6Ia+CZEV2o8vMT3/nwlU5igpWV7JEW8np2Klad4j0Vs:MsgcypOSUI+qmJo+QZladTV
Score

7^/10

spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral15 behavioral16
- Target
  
  Meta Unban/Cleaners/full deep cleaner by nigga mhatt lol.bat
- Size
  
  902KB
- MD5
  
  602ac0bd731b2615933dde1442e96ff7
- SHA1
  
  586be9b5bb086aa301eea7df5ee998390756b912
- SHA256
  
  97c781dfaa813232a8d13f7dcdfd1490f355ab85823b2cd73b9dd259d3a1ad07
- SHA512
  
  d5cee12b3c99cae442808c463636faa0f96cdae24d6caff13fd5e27a40f74ce58cd15f43430d5ebd15d968588d491dee17bb31b3f7c19ed7d55e2882a25d30eb
- SSDEEP
  
  3072:kOW9mafKzoz3g8gzRnvplYSc5mzozEzoz6zozn:5ykyuykyn
Score

8^/10

evasion
- Stops running service(s)
  evasion
- Deletes itself
behavioral17 behavioral18
- Target
  
  Meta Unban/Meta Unban.exe
- Size
  
  55KB
- MD5
  
  7d2e642f65379d352e8a144f3210d4c8
- SHA1
  
  2a4f1173b43bdeb3e4ebe8f1f6fcad24a092a5d6
- SHA256
  
  fa1d94e54a86ae548a6b304fbff0cb11182593e5d2c181ec5d2e5add108f7b22
- SHA512
  
  f882085c1f9fe6679f5d5861be0070f700c26235dcccd4f1c877659a2e08eeab727be75dc35f44e31a21369b0a4a8e1b92353f38e52137c1e1c69c0f087f2704
- SSDEEP
  
  768:SFa99JfBJnNLrYOjvVOROJ6usQtxR2T+ELMx3dzHN:OaHlrNLMODVwMfdR5d5
Score

1^/10
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Impair Defenses

T1562

Indicator Removal on Host

T1070

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Drops desktop.ini file(s)

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Stops running service(s)

Checks BIOS information in registry

Reads user/profile data of web browsers

Clears Windows event logs

Drops file in Drivers directory

Stops running service(s)

Checks computer location settings

Reads user/profile data of web browsers

Stops running service(s)

Deletes itself

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20