General

  • Target

    svhost.zip

  • Size

    7.0MB

  • Sample

    230617-lbrfqsag41

  • MD5

    66c4c78001e053a9e28bf2c802d98836

  • SHA1

    516b06f28b64b1323cf61511055e9d3541fe302a

  • SHA256

    0b57ef8dc404b12987c7071007deb61da13dfa9b082827a513a895056520b7ce

  • SHA512

    cbc4b163bf56f5ddb21a9dda584984204ab489adf9261b8f71f6ccc39c51549a3a4e2169d0b19ac5fd1adbc9a7d557732e57e69627a228ab8f6082305e454e23

  • SSDEEP

    98304:vB23sWnSm/5eKZa4dhcCWI1zCvZrOQhPZer3hjaADtoKgNY2hRu/5UpmOlTBk6SI:M8kSmHI4sCWI+0SPZahjaADGKgiMfGPu

Malware Config

Targets

    • Target

      svhost.exe

    • Size

      7.0MB

    • MD5

      0ae923579d23319a92433cd5078fc8e7

    • SHA1

      66960b7c537597615a051d92eaf8c3971f3e53f9

    • SHA256

      bf57483379c0df21700ab91b090302d9784f9cfa7bb8486a1e8267256841bd7e

    • SHA512

      d4cca5dd9f30f41129f5f27d6be5233bfea3b321c624e30cdd051d445025d1ab4d86bb3de8049ad8b49569d5923950fa76c333dc1bb25c87b79cdc63efac6a18

    • SSDEEP

      196608:rbcUG4raKu24YY7HVT4hV0AD6QgqKRgX:5mKr4YYH+EUWpgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks