General

  • Target

    jdfasfsdaft.exe

  • Size

    7.0MB

  • Sample

    230617-2w3x9sdd65

  • MD5

    bb8abfbf4c8e88ebc56211c059e2ab08

  • SHA1

    50fe1f3d937e864eef5833358f0b1b78d155c251

  • SHA256

    6a381ad99d0ba0e83eaa84202fabf0ce5a92e3435e44384ab18002dc16c73cad

  • SHA512

    e5c615711d87bc61a3d835f30236e43dc636f8423b2fc04d6edea65495e230ccc287434b0bfeed9466f90fdf5a7d5554b0204e6aa52858fcf7373153955c5dd5

  • SSDEEP

    98304:dB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:ucUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      jdfasfsdaft.exe

    • Size

      7.0MB

    • MD5

      bb8abfbf4c8e88ebc56211c059e2ab08

    • SHA1

      50fe1f3d937e864eef5833358f0b1b78d155c251

    • SHA256

      6a381ad99d0ba0e83eaa84202fabf0ce5a92e3435e44384ab18002dc16c73cad

    • SHA512

      e5c615711d87bc61a3d835f30236e43dc636f8423b2fc04d6edea65495e230ccc287434b0bfeed9466f90fdf5a7d5554b0204e6aa52858fcf7373153955c5dd5

    • SSDEEP

      98304:dB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:ucUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks