Resubmissions

18/06/2023, 02:48

230618-davsrsef8v 9

17/06/2023, 23:43

230617-3qkeeadb9s 1

17/06/2023, 23:42

230617-3qavzadb81 1

17/06/2023, 23:22

230617-3crxbsdd99 9

General

  • Target

    svchost.exe

  • Size

    7.0MB

  • Sample

    230617-3crxbsdd99

  • MD5

    9c8971a999bec1e4a602f6ad8295b207

  • SHA1

    c358b621a6402c3a3a184c9bbdedf6c3f4f8f088

  • SHA256

    74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206

  • SHA512

    051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb

  • SSDEEP

    98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      7.0MB

    • MD5

      9c8971a999bec1e4a602f6ad8295b207

    • SHA1

      c358b621a6402c3a3a184c9bbdedf6c3f4f8f088

    • SHA256

      74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206

    • SHA512

      051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb

    • SSDEEP

      98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Disables Task Manager via registry modification

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks