Resubmissions

19/06/2023, 08:55

230619-kvtjrsdh9v 9

18/06/2023, 22:53

230618-2vffksab57 9

18/06/2023, 04:47

230618-fex5ssdh24 9

17/06/2023, 23:44

230617-3rce7adc2t 9

General

  • Target

    svchost.exe

  • Size

    7.0MB

  • Sample

    230618-2vffksab57

  • MD5

    9c8971a999bec1e4a602f6ad8295b207

  • SHA1

    c358b621a6402c3a3a184c9bbdedf6c3f4f8f088

  • SHA256

    74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206

  • SHA512

    051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb

  • SSDEEP

    98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      7.0MB

    • MD5

      9c8971a999bec1e4a602f6ad8295b207

    • SHA1

      c358b621a6402c3a3a184c9bbdedf6c3f4f8f088

    • SHA256

      74a46a2e591d858b447870d9d4535729e9859328854be58f6fd0ef2cbe12b206

    • SHA512

      051179832fd8a181dcd2131807332b6ac301484aeadba3baad594e0680c2bd0d58df5b712f2a6464c160a1f0af83f8b7a3a28f955530cfa7c0d6af253968aedb

    • SSDEEP

      98304:ZB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:icUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks