e1dcc9c259c78a051ead4ae56f9eabdb829bb7c832fe81af6f65f6b465b7f026

Sharing

Copy URL

Twitter E-mail

General

Target

SkyFlick2.1_WIN11.zip
Size

22.7MB
Sample

230327-f96enabh73
MD5

6a51cc62a419ff0ce8e402f6078f01fc
SHA1

dac60e7e9cc63b90804674275b729e7bc5c8a1ee
SHA256

e1dcc9c259c78a051ead4ae56f9eabdb829bb7c832fe81af6f65f6b465b7f026
SHA512

a6c7624c3b78bcddd726dfffaeb13db329a4c75e0e91acf6d5fcd85492dacab06fe2644193c40adcb7c30802bbd34f8e6695bec2386b5e8257ab3f3b832b1efe
SSDEEP

393216:7lc13U2VRLLoSkywODQQmdL3aRWtBWH2uNxUMAF9WZNcswyRQojMYWVlHoGTyy2L:7l23r5njzUJdL3ZtB02uTLsucxy+vLHK

Score

9^/10

Malware Config

Targets

- Target
  
  SkyFlick2.1_WIN11/RealReboot.exe
- Size
  
  17KB
- MD5
  
  e3ff3e13aa2327bf56c2b9c7ff72da6c
- SHA1
  
  5d796ef224d2f45111819297b3098a3ef6ddd63d
- SHA256
  
  c4d9a85853ba58157ddc42235fbd576d7312f04fcb7e35f92a12915f8cb81ea6
- SHA512
  
  38217d461faf6a48670086ed0cc08242c087eb85769f5ba4935c23dff6a3e80a7c4cdd87a8dcf878d3a942f460006555b3dff1f7274dcd08c5541a9ce5c958a0
- SSDEEP
  
  384:l7E5glOubn/A/FQsDL27jq0JdVVIY9o3d+m:1pIyA/1cjq+HXq3km
Score

1^/10
behavioral1
- Target
  
  SkyFlick2.1_WIN11/ResetHWID.exe
- Size
  
  2.6MB
- MD5
  
  d39c72eec8cde69944feda7cf386fd14
- SHA1
  
  694538c10ca8ba6a95791b528b857db118f7785b
- SHA256
  
  dc1f8e5c613b61e44cf394bbd36938ae90d432afcc6fbc90cbc07913419eca50
- SHA512
  
  5fb46167f6fcb27212f3516de1ee4fbb88ae1425da7ad82cd44f4db82409eecbc5115088a8d7492681ee35a7c5297947f9cb1de8a899ad81bee496384bb5c221
- SSDEEP
  
  49152:YJZ4qPVzHxJQ3zNJKaxPxFN1myo4UzfV/WX5RE/s/Td:kSqYJhx5FTmpB/WX5S/wd
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  SkyFlick2.1_WIN11/SkyFlick2.exe
- Size
  
  5.4MB
- MD5
  
  86a3d3a67b29fe9dd04f3cc865056245
- SHA1
  
  210c988487baacbc41dd8590b77688d8a03b81f1
- SHA256
  
  646dc44a15f576f31d4f357f2538bf5aec7bd92ed373b8a217daeee7a22e81c0
- SHA512
  
  d33dfb990b61ce9930469260cd643ef643ca79c66bfbb41e4e8b4f4e684f8abfac8936ce84667d6154b0c62de2cbbbc7fc4c4d6058a635d07366939207a131cc
- SSDEEP
  
  98304:uMaC/In9pCoFypqViZfw+1AFb8qTgDRr19pF2rKELuSLw3aOTy:naUIn9/Fyy+yoqgjRVELuwwqiy
Score

8^/10

persistence vmprotect
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  SkyFlick2.1_WIN11/data/Ba6ZtH8y0KbD2.sys
- Size
  
  3.5MB
- MD5
  
  dde5740b4bf6271bdb42da242c5535d8
- SHA1
  
  16476c591b781449440a7b468becc63b7daa33cd
- SHA256
  
  714b12277e64be16a900018fbb43fd34be88c3d959cf1985876369d34904d1d5
- SHA512
  
  463f5d36ae6bc9818edfd2a5c91430614d9c7f65f638ad40d44816c0c0d6e64af6c491e58ae6a43e908dd9c285f72c297d4b8bcdca2060499814a603c0c8e95b
- SSDEEP
  
  49152:BfecROe4BTjPTGBCZ5mMO7s8h+JXf6rsF/yzWU1buWkOB+5MT3LIRYoRV0D36rfj:BmcyRMi5JOcyAlyz7IODoRV0D36MHId
Score

1^/10
behavioral4
- Target
  
  SkyFlick2.1_WIN11/data/bin.0
- Size
  
  5.3MB
- MD5
  
  5ee3604fac6e53dc2f3a4486ab9afcf6
- SHA1
  
  4a10abcd8ac6f75ee60d94eed5b07684a4e9117c
- SHA256
  
  318ee60258ac8cd34e0eed8d471fb0a11a3be56205cbb9d853dbded659f6c787
- SHA512
  
  bd28f9fb51f69c5a9926c3d2a60fa1888c70405a50ffd25586407857f792c2b373e5e04d78284f9c24a3151a296961c57f9dd2dd0dba4c4a1aab034d0b3bb8e0
- SSDEEP
  
  98304:17aA6O2V2/6K+yoHKEorpSFojMHa/0EexF2zAI8J5ktPCO0xtw2qHwJVtG:17aPO2c/6OoqjSFoE40E+fSWZqHwU
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral5
- Target
  
  SkyFlick2.1_WIN11/data/bin.1
- Size
  
  6.1MB
- MD5
  
  b357bc0d4c48a0481057d854c9168503
- SHA1
  
  bc729697648def321e6b78b27ae790bc149f6bb8
- SHA256
  
  5fb7783611fdcd76d9d57d7d2af6791357c3d41277dbc9e69e0a6431bb5949b1
- SHA512
  
  b4cd3f9796e329dc018529dcd331b90b6b61bd749ae644ef03fbf3db2e97040441e1b0d92a64d9306074160b0ce7fe1b298c210de082db751f712bf1f4edacb3
- SSDEEP
  
  196608:91aFJdepxzWiarz1yMOQbxCxl/95eYfNdyV:91avCxzGxy8bxEZ9Xdy
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral6
- Target
  
  SkyFlick2.1_WIN11/data/drv64.dll
- Size
  
  866KB
- MD5
  
  466d8d4bd03e1ae1dfb7cd2944747808
- SHA1
  
  d779e10cec5a7457d08b9d63e2f392202d1b9c4f
- SHA256
  
  b1817ee674e9a7b9eecacb8068eb7e5d6f45052106f0fef31d9eaf7e2eaf7f15
- SHA512
  
  1d18f517ae7f0fade4768616969ba0b6c9fcd1fc2d593e5321f1826f9313c6b2f976fe737094515e9585fd0bd4fbc832d879129f80d9136a6ab861ff9b962764
- SSDEEP
  
  12288:2hE7/OAnfbSJrD6n/Im5hkK9W4Iyo4J4b4zD3PRNhhIaqcMuceZDHlBtkSpJo7wl:l7/NfaejRHIyZJdX3pNh+PcNRHtkI
Score

3^/10
behavioral7
- Target
  
  SkyFlick2.1_WIN11/extension/Anti-Flag.exe
- Size
  
  138KB
- MD5
  
  75645c600160e1e9973ce7b2a68badf8
- SHA1
  
  46d17296a5d04a7cab4ecf494b6c6e6c34638021
- SHA256
  
  d43495b3fce93bb8c9e24d5c9f4df0f93da02364b18a8a137a518e4218aeb7dd
- SHA512
  
  76200b07f37dd22f32bb3b6a1e6a00a5f24eabb63c1e9904e5fed21e7aebe0e44b95f8207b64d4579c44bac1deb3d36692a09987821c4bb8f2ba2df377cbf032
- SSDEEP
  
  3072:v2G3/l7spI6KroZmveReJ+RBysDNjNuhE1l8to9H3E5q4WzD:vbd7sIYDL2sDrual8C/4WzD
Score

1^/10
behavioral8
- Target
  
  SkyFlick2.1_WIN11/libcurl.dll
- Size
  
  479KB
- MD5
  
  a773fd7caa6ee0b42ad5d9bad74b1f01
- SHA1
  
  325d625970d6ed18606858fee5281f2a51432ec6
- SHA256
  
  805979c09a14d249f3086053ef55c5a7d1a409dbba83c2e0ee80befcfc875aa3
- SHA512
  
  d6f5deae4b2472a9be53229939fb898e2a8bec1dad912a2d9af3d0b355e901e5ee502817c2a71d80fa49524c236d08221f988b0f23a6d3f6d18f5ea8285a4dbe
- SSDEEP
  
  12288:y/mw+ZFUm8PPObIY/fCmSwj0O79RiYpKlCuaxAQY:ywgPObIY/amSwj06lomA
Score

3^/10
behavioral9
- Target
  
  SkyFlick2.1_WIN11/zlib1.dll
- Size
  
  87KB
- MD5
  
  cccf0510b3d50d1d458e1be8da1b64d5
- SHA1
  
  701e6655979f5066c4fe6bcec18982dd427a2c58
- SHA256
  
  76c186ade3e6c6bcf0b4adaa8fb1332f69290e1fd191872ed5cc8d32cbf767ea
- SHA512
  
  4db2dc29e4558c6f179bf6d41fa77740fe3f96033daa0327caf60df83e447ea0342b12cd612f7b551d8223e0457f6069e3b6c30c291c8c4ede3b089cadd9d04e
- SSDEEP
  
  1536:gk2qZPsTBdddWfPpFu/xHEvT9QIOcIOnXmZWAhJn:gNqZPsFddYfPpFsH+T9GSnXmZWAr
Score

3^/10
behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Downloads MZ/PE file

Sets service image path in registry

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10