Resubmissions

17/06/2023, 22:26

230617-2cljwadc72 10

17/06/2023, 22:24

230617-2bhftsch8s 10

General

  • Target

    ArceusX.exe

  • Size

    7.2MB

  • Sample

    230617-2bhftsch8s

  • MD5

    e209eaa50105b03fc303b6d53ba72125

  • SHA1

    8e084a40f935b7164933a709b793b4248350377f

  • SHA256

    bde88f3874e804af81f095f41330f1382c45572acef95f4eb60c81413cb28170

  • SHA512

    41d8f1d90045aa17e1f8e307cf2c328d1f80b1649345e58cfb86735535ebccfe518fe1a2705f5579be784abbb0dcbc020dd18d3e72a36c178bb19bcc99b42bf2

  • SSDEEP

    196608:SOFJsKeaDQuEKgsO0dXP0h7oAD2mE+O7oPw:Zb8uDgsTdMyUMtoPw

Malware Config

Targets

    • Target

      ArceusX.exe

    • Size

      7.2MB

    • MD5

      e209eaa50105b03fc303b6d53ba72125

    • SHA1

      8e084a40f935b7164933a709b793b4248350377f

    • SHA256

      bde88f3874e804af81f095f41330f1382c45572acef95f4eb60c81413cb28170

    • SHA512

      41d8f1d90045aa17e1f8e307cf2c328d1f80b1649345e58cfb86735535ebccfe518fe1a2705f5579be784abbb0dcbc020dd18d3e72a36c178bb19bcc99b42bf2

    • SSDEEP

      196608:SOFJsKeaDQuEKgsO0dXP0h7oAD2mE+O7oPw:Zb8uDgsTdMyUMtoPw

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks