Overview

overview

9

Static

static

7

test.zip

windows7-x64

1

test.zip

windows10-2004-x64

1

TACTICAL-2...se.exe

windows7-x64

9

TACTICAL-2...se.exe

windows10-2004-x64

9

unpacked_version.dll

windows7-x64

1

unpacked_version.dll

windows10-2004-x64

7

version.dll

windows7-x64

9

version.dll

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    test.zip

  • Size

    17.0MB

  • Sample

    230425-krew7sbc8x

  • MD5

    71c56dcf8559b5812abc95d3d6c10c8d

  • SHA1

    ef83ccc4c9e48ac4e5ec8c888a63cefd4b7103af

  • SHA256

    1dd7ab2ea6b3117f4ba6ffc1dc39df679146374180557c5b33c5b14f1cb084e3

  • SHA512

    dfa53f6055725b94891d5260f73b648118d128f42166d6617117a24ea957ae64294a6d4977cd4641411571f697ddc22485ed507a54614e844804531778f846d0

  • SSDEEP

    393216:LG/D/OLkvQTLRDo8PkT0+Z/paufqfq0HAJlmdE4MyaS7G37OXZ:DovYi8PkT0+ZRa8qfA4MHS7G37g

Score
9/10
evasionthemidatrojan

Malware Config

Targets

    • Target

      test.zip

    • Size

      17.0MB

    • MD5

      71c56dcf8559b5812abc95d3d6c10c8d

    • SHA1

      ef83ccc4c9e48ac4e5ec8c888a63cefd4b7103af

    • SHA256

      1dd7ab2ea6b3117f4ba6ffc1dc39df679146374180557c5b33c5b14f1cb084e3

    • SHA512

      dfa53f6055725b94891d5260f73b648118d128f42166d6617117a24ea957ae64294a6d4977cd4641411571f697ddc22485ed507a54614e844804531778f846d0

    • SSDEEP

      393216:LG/D/OLkvQTLRDo8PkT0+Z/paufqfq0HAJlmdE4MyaS7G37OXZ:DovYi8PkT0+ZRa8qfA4MHS7G37g

    Score
    1/10
    behavioral1behavioral2

    • Target

      TACTICAL-2.8.8-release.exe

    • Size

      18.7MB

    • MD5

      7dc7618d9d9d1da9c547e647dcb62343

    • SHA1

      e0e70b7d626f15ebbc65e5e277913f42081f0946

    • SHA256

      db16aa255d60937cde5204609ac1f51e4f6f808da8579165cb4e03bc8fa1cadb

    • SHA512

      70ef869bae47b0fa12c5711d4b26d0e37d96d9ad3c918c3d0a9df1a60790413b0c4d090a16af81e93fc2e6ab47fd0b6cfff13ba283ccb10319982f8754f56820

    • SSDEEP

      393216:zZLWanwwgGZohDuR4mh59YpSR2GYxDOj99iaL:zbnwwd2y8p82GYxip9v

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      unpacked_version.dll

    • Size

      6.4MB

    • MD5

      841df99dd9cebc8a29763c3386d54649

    • SHA1

      d3b4d43bc764b2fefe3a089ba408331fc8d2d7a7

    • SHA256

      2759fe44509259620d06f162dc45c337ba5ffe5bf480583708d5d0fa822f9442

    • SHA512

      fecec6d6f8227e75c119e9c83b7691988f9a9190a4e48222294cfa4e9721498e478b8fb2322975e1e2b06a53c5e5d02211dfe34b140c607bae65ee53ccab84a8

    • SSDEEP

      98304:2bng4Lr3Al86dATnRUwAvD3P0HNCB59V4S1iVEMXSxDOwmzJsPF3sBezlnkKcP4:GGdEnRGvbPs44ke3vsPF3C9P

    Score
    7/10
    themida

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida
    behavioral5behavioral6

    • Target

      version.dll

    • Size

      2.5MB

    • MD5

      f9b89da94ed247b257ae8bac48304611

    • SHA1

      1637a3228884cf84b8f173e4249f2dc86193329a

    • SHA256

      0f84cac377432974a2232b164bfc7451aa5c4445c878387725df97486531fbcd

    • SHA512

      1dd2efc11287a1e917e008a826baadb721c68d1a3b8a6e0106306ae6dd85f2adfb782d4eb20d4020160304117ebd115a0c1c4996d84565e232d727eef7212096

    • SSDEEP

      49152:+FIlhMg37EU2o+SxDOwmzJQNDPFsx/qssluv7eMSlwGkgaUcPqVn:+VEMXSxDOwmzJsPF3sBezlnkKcP4n

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

MITRE ATT&CK Enterprise v6

Tasks