5b315a54591d573feb569d2471d8291351a552d4b3f2e35987bc93bee1218989 | Triage

Submit
Reports

Overview

overview

9

Static

static

1

rhino_en-u...01.exe

windows7-x64

4

rhino_en-u...01.exe

windows10-2004-x64

9

Sharing

General

Target

rhino_en-us_7.29.23107.03001.exe
Size

293.3MB
Sample

230612-tpye7sde5w
MD5

a98cdb7c0f477d356997455b91ec0a83
SHA1

91b81bcc937779f65578b00303644469382ba6b8
SHA256

5b315a54591d573feb569d2471d8291351a552d4b3f2e35987bc93bee1218989
SHA512

f32c5a3c2bca72bcb8711c9f4edd0cd478d44dcdc7696005002a00b14bdcd37b689ee44e9d8e612e5b4307fa2d61e53430dc4eb202f2dcb326da4ed395f9ed04
SSDEEP

6291456:lj7SKgeBv0/wFJblMRI5c1ec1JSq5BTTUkP9DOJd9CgSKMfRxR:ljlqwpAI5c1eQvvTX9CTcWMnR

Score

9^/10

coreentity discovery persistence

Static task

static1

Behavioral task

behavioral1

Sample

rhino_en-us_7.29.23107.03001.exe

Resource

win7-20230220-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

rhino_en-us_7.29.23107.03001.exe

Resource

win10v2004-20230221-en

coreentity discovery persistence

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  rhino_en-us_7.29.23107.03001.exe
- Size
  
  293.3MB
- MD5
  
  a98cdb7c0f477d356997455b91ec0a83
- SHA1
  
  91b81bcc937779f65578b00303644469382ba6b8
- SHA256
  
  5b315a54591d573feb569d2471d8291351a552d4b3f2e35987bc93bee1218989
- SHA512
  
  f32c5a3c2bca72bcb8711c9f4edd0cd478d44dcdc7696005002a00b14bdcd37b689ee44e9d8e612e5b4307fa2d61e53430dc4eb202f2dcb326da4ed395f9ed04
- SSDEEP
  
  6291456:lj7SKgeBv0/wFJblMRI5c1ec1JSq5BTTUkP9DOJd9CgSKMfRxR:ljlqwpAI5c1eQvvTX9CTcWMnR
Score

9^/10

discovery coreentity persistence
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Blocklisted process makes network request
- Downloads MZ/PE file
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

coreentitydiscoverypersistence

© 2018-2024

Terms | Privacy