Resubmissions

04-06-2023 01:31

230604-bxnxmaaf43 9

04-06-2023 01:28

230604-bvvbmabb8t 9

04-06-2023 01:15

230604-bl8snabb5y 9

03-06-2023 01:38

230603-b2d8zsfe8x 9

03-06-2023 01:32

230603-bx7pqsfb26 9

02-06-2023 22:49

230602-2rnb1sef94 9

General

  • Target

    svhost.exe

  • Size

    5.2MB

  • Sample

    230603-b2d8zsfe8x

  • MD5

    8aa2bcc963f412a81961e70ca973d25c

  • SHA1

    791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8

  • SHA256

    d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84

  • SHA512

    da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb

  • SSDEEP

    98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY

Malware Config

Targets

    • Target

      svhost.exe

    • Size

      5.2MB

    • MD5

      8aa2bcc963f412a81961e70ca973d25c

    • SHA1

      791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8

    • SHA256

      d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84

    • SHA512

      da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb

    • SSDEEP

      98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks