General

  • Target

    svchost.exe

  • Size

    7.3MB

  • Sample

    230620-dh2ahsag21

  • MD5

    bb0eb1cba0ab4efdcc626f11b8eb571c

  • SHA1

    e5b6ec087b44fbe9f0dd0da2a501e39f8c0bbbc5

  • SHA256

    48fd42ea0f584096a6b7b290705ebb358f6687801bbaa34a918bb630a0602e87

  • SHA512

    576f546d201f895f55b963e00dbb54c9518c47c28e1bce245b6436d08b9ccaa9cc31680155e27ece9fcdcd5923695c0c2c31e2b133d38e67298bbdbd5cb810a2

  • SSDEEP

    196608:BpcUG4raKu24YY7HVT4hV0AD6QgqKRgX:BnmKr4YYH+EUWpgX

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      7.3MB

    • MD5

      bb0eb1cba0ab4efdcc626f11b8eb571c

    • SHA1

      e5b6ec087b44fbe9f0dd0da2a501e39f8c0bbbc5

    • SHA256

      48fd42ea0f584096a6b7b290705ebb358f6687801bbaa34a918bb630a0602e87

    • SHA512

      576f546d201f895f55b963e00dbb54c9518c47c28e1bce245b6436d08b9ccaa9cc31680155e27ece9fcdcd5923695c0c2c31e2b133d38e67298bbdbd5cb810a2

    • SSDEEP

      196608:BpcUG4raKu24YY7HVT4hV0AD6QgqKRgX:BnmKr4YYH+EUWpgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks