d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84 | Triage

Submit
Reports

Overview

overview

9

Static

static

7

svhost.exe

windows10-2004-x64

9

Resubmissions

04-06-2023 01:31

230604-bxnxmaaf43 9

04-06-2023 01:28

230604-bvvbmabb8t 9

04-06-2023 01:15

230604-bl8snabb5y 9

03-06-2023 01:38

230603-b2d8zsfe8x 9

03-06-2023 01:32

230603-bx7pqsfb26 9

02-06-2023 22:49

230602-2rnb1sef94 9

Sharing

General

Target

svhost.exe
Size

5.2MB
Sample

230604-bl8snabb5y
MD5

8aa2bcc963f412a81961e70ca973d25c
SHA1

791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8
SHA256

d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84
SHA512

da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb
SSDEEP

98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY

Score

9^/10

agilenet evasion persistence themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

svhost.exe

Resource

win10v2004-20230220-en

agilenet evasion persistence themida trojan

windows10-2004-x64

20 signatures

1800 seconds

Malware Config

Targets

- Target
  
  svhost.exe
- Size
  
  5.2MB
- MD5
  
  8aa2bcc963f412a81961e70ca973d25c
- SHA1
  
  791e2d2f9fc5bbf9f149aaace2cbf1b3ea263eb8
- SHA256
  
  d8ccea5c925de65f4604ec7b632aaf3d6bab3a9930e4708530f17f9891f8ba84
- SHA512
  
  da47fd38845006bb884230996e499a6d42f5a78a2cd6fcc7be8e1b2cd3cc3623d0b579ab8eab67ee11eee294feb21729a9f23d5f51180525ad0e425b9283c7bb
- SSDEEP
  
  98304:qNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:w9GeDVI5DKBWZlkgJedYs6LtYdEhqTgY
Score

9^/10

agilenet evasion persistence themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetevasionpersistencethemidatrojan

© 2018-2024

Terms | Privacy