76464cfba6e44c2b349816105428d962967640ed441962e9197b937fc8bd75ed | Triage

Sharing

General

Target

Appfuscated - Cracked by Voxguard.zip
Size

6.8MB
Sample

230614-s49lcaag93
MD5

cc29b8b7f13527d77878945e3755b947
SHA1

6febad6d7a31807c6d4066ef5ad2451617769dab
SHA256

76464cfba6e44c2b349816105428d962967640ed441962e9197b937fc8bd75ed
SHA512

7e3c7b7b0f26543b854471e5453c4ab1417183087fa3440e7603e0efdd7474f853f7d7b42de4bdd20024738f33d0be6221495f3a1def5259c4b55c30d90e2e2a
SSDEEP

196608:c/Za0NBs5DKd6X74JfsxYyMdz29kl+5Qq/czTX26kwAtNni5:+06Bs5DKYm7yMdz29kloh0zTX26NAri5

Score

9^/10

agilenet evasion themida trojan

Malware Config

Targets

- Target
  
  Appfuscated - Cracked by Voxguard/AppFuscator.exe
- Size
  
  5.6MB
- MD5
  
  d19985c8b4de4a0cef2f5a4533140ca4
- SHA1
  
  4fb1de3c3aebc888aec868a7d921ad6653e6aba4
- SHA256
  
  1d0638e1f906f41b6dcb34a685223eb6b1b19874661a2131dcbe9c76e1ec1791
- SHA512
  
  2eaf25002f57ffc2ece5c68bdf17182b393dceee0b836cb6d9d4c2ab7604b9b2e2dc47da1e9c6499fc341a23130c14dfbadd51530a11ae1e73c37ca1c4d3ba4d
- SSDEEP
  
  98304:EIvuNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWt:ET9GeDVI5DKBWZlkgJedYs6LtYdEhqTp
Score

9^/10

agilenet evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2
- Target
  
  Appfuscated - Cracked by Voxguard/ICSharpCode.SharpZipLib.dll
- Size
  
  196KB
- MD5
  
  c8164876b6f66616d68387443621510c
- SHA1
  
  7a9df9c25d49690b6a3c451607d311a866b131f4
- SHA256
  
  40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
- SHA512
  
  44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4
- SSDEEP
  
  3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
Score

1^/10
behavioral3 behavioral4
- Target
  
  Appfuscated - Cracked by Voxguard/Mono.Cecil.Mdb.dll
- Size
  
  42KB
- MD5
  
  ec602fe75ad2447f6c40c253ad77a860
- SHA1
  
  32018deb857936c16cd3f971c6020e34d1718b67
- SHA256
  
  7aff7a0c8b14b02952cb028e8a39eb7c862b89df7499ef684aa2374b46da5513
- SHA512
  
  b65e238a1f58f9e355e1f3e539aec3f0ae2c14c203a2e6ea4bf4bc428fa8bb3ac5b9ecf310448ca6054cb83e053270f0dcbae5d753b76f21bf2b6a930195be50
- SSDEEP
  
  768:6qgBelOEdZagw3gn6qIZgWbPmKkBnjjwl+N/6N63+Iu7toi6:jmFiZaxgMgTNjC+UQ3+Iu7F6
Score

1^/10
behavioral5 behavioral6
- Target
  
  Appfuscated - Cracked by Voxguard/Mono.Cecil.Pdb.dll
- Size
  
  79KB
- MD5
  
  b30b9ce2a7bece6959dba927eb3ea1a3
- SHA1
  
  97eaaee53e587cba6159667a3c4d497669b989bf
- SHA256
  
  e6bc17982d5fb058d2778629ddf03742319941881c36fa8095badfd7cc72ff4e
- SHA512
  
  75f34e2c133f1875eafc8a935d0d820a08f9a7d76010c8e79238c19774589e354edcc7b2daf6747753e0085fe88b84d04bd766e54c8a848d87b1d109704ae243
- SSDEEP
  
  1536:LA9CnZBnyxYMzacPTTS0NbVD6nzJ6cMPwxMl8WS:LA4WZrTS0Nbp6zc4xvWS
Score

1^/10
behavioral7 behavioral8
- Target
  
  Appfuscated - Cracked by Voxguard/Mono.Cecil.Rocks.dll
- Size
  
  23KB
- MD5
  
  d64f8b0830090fdf1b48aa7f6b442a1e
- SHA1
  
  2acaa4e39d9e31302fed92947fa51d4c940d829a
- SHA256
  
  59b6b9f7e9f4f3db6c2ee372d9b0300992e2aac9d240fb76e51c7bb27495f5a9
- SHA512
  
  5732a3d432df08c0898d908800b0e84524c73ddad40ac731746112759126b45bbe43cf009f3d4712ab0a72444d24f76c64019a23aebe370dd5ea64b80538c2f3
- SSDEEP
  
  384:SIGYInS5SQ1MNaBRd9qUYwe/7Xv42hiQgnT+BNHo2RGFZMzEbSjr/hYR7b+q9/w:SIGYIi913Xkw+Tv4iij6NHpGTH3l9/
Score

1^/10
behavioral10 behavioral9
- Target
  
  Appfuscated - Cracked by Voxguard/Mono.Cecil.dll
- Size
  
  271KB
- MD5
  
  b1c7da53f32e6425b84c118047fdfab4
- SHA1
  
  643d8531ae4e924b57066778883caec4ed7f8f4b
- SHA256
  
  ae75bf2566a936b86bef42731f1ef32d17b4d496931ad8278d07b9b5076def1d
- SHA512
  
  d6f3db75672cef693cd6249df999c4ba6106ccdb1aade534d2cd55bca87899826209109c4191f33e2c6ca6e072f2774eb6cd093bedfd4b6bc005b68214bacff9
- SSDEEP
  
  6144:fdeEoRWiECsEvx/9D7aucVRLQudsE0Gv8hUBKdJDkPl6X:VNotEC9xVXARdv8hQ
Score

1^/10
behavioral11 behavioral12
- Target
  
  Appfuscated - Cracked by Voxguard/Newtonsoft.Json.dll
- Size
  
  382KB
- MD5
  
  8611795b70cd1f321cb5cb5aad95ff7b
- SHA1
  
  3adf7d5b701c2ee4af9faa79c36fc724a73a1427
- SHA256
  
  cfc2edd8ee6a9e91719e493a8ee26938b59d8a2485d8bd4841fa34e9d6fef573
- SHA512
  
  1658d0dec157dcbb008bda2bc3db227d605c4ad56b853f81a8d8571bb49e8d56780c994447cbd6fa88a2bbae9985ddcb43f8bce032010674eeb78a1f1e7d9486
- SSDEEP
  
  6144:t+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzb:0Pw2PjCLe3a6Q70zb
Score

1^/10
behavioral13 behavioral14
- Target
  
  Appfuscated - Cracked by Voxguard/StackTraceDecoder.exe
- Size
  
  246KB
- MD5
  
  b8bf157eed7bd27199bd7154c116c7b0
- SHA1
  
  df607563da0203e12a57ae4d3ed5ff51802f58ed
- SHA256
  
  5b15601c7db081bb5897ee1c3037abd675cf3dd4a6d7d1487f33713182890c23
- SHA512
  
  cb2769b2b7ac2dd2b02811eede61795f5ab882eaa49df6db6b50e2ddd85933b1e6f75a6382ab75b3da49115d869e6c67cad03876a255f6233751e759a055a5d8
- SSDEEP
  
  1536:gUnGdjjJ0Z1j2HawJAX4lXkmwtvkjxXpKXkdwtGkjb:gUnmOZzRXW56kNXsG/kP
Score

1^/10
behavioral15 behavioral16
- Target
  
  Appfuscated - Cracked by Voxguard/WatermarkDecoder.exe
- Size
  
  45KB
- MD5
  
  1170198cd869a9767ce44b5a2343ef05
- SHA1
  
  b579fc5c205f89b1324f301aef02de58c536d84a
- SHA256
  
  5c745208815ef1ad703586ef1ab5ed8bf1ee2f7d5900c32a75b4f711ac3fed77
- SHA512
  
  5b57832ff5a17401815bb962c128dc5e400fd361979b2d83435024bca0a7947eebeba89e3a0be08524bf3ad835fc02c930e7a4122243e5a7275e2aed5c606603
- SSDEEP
  
  768:xMuEJvcoBUYsH57CsyPpDgsmx8/Pb0fgk:xMNJyMP5Canbsgk
Score

1^/10
behavioral17 behavioral18
- Target
  
  Appfuscated - Cracked by Voxguard/unins000.exe
- Size
  
  2.5MB
- MD5
  
  61859891f371ac2ce1c892f3baae796b
- SHA1
  
  26cfd62d65cb12608d0ac5d56b2d4b7b8045c591
- SHA256
  
  c6dd4365001767875e9a9e61c90baeee1ac5726301105018237b30f9028a196e
- SHA512
  
  d059d84eb280ac8c64db3d276a35e5995ce9349a739668fe34be2056b0962112343fa43a2fa146cb05d8a65515b6065a7f96839c3a19fcccb2a59edeadcc9c0e
- SSDEEP
  
  49152:1R/KpmZubPf2S8W2ILeWl+C1p9jWy5Snd0eigXNa:b/jtYLP1Sy5E0p
Score

7^/10
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral19 behavioral20

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetevasionthemidatrojan

behavioral2

agilenetevasionthemidatrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20