General

  • Target

    Server.exe

  • Size

    7.0MB

  • Sample

    230621-ygbzfsbb69

  • MD5

    3f37221122467ac5f32a8c33a812e508

  • SHA1

    9f6d4058292a8b46530529195e534cc4903ef2f7

  • SHA256

    f513d3e038b7d1eac73eb559f334fdc7fa47ced2b542307e62154890cffff32d

  • SHA512

    a0700f93329a8b20ee723dc0c2b0c43e54c25a0f0c4b9cdfe3340fa2e00c5c3d76573fa99ef31837f8f05c25266b050dd63f7d1c6a4c91c7f169643bf6ce9c16

  • SSDEEP

    98304:EB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:tcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      Server.exe

    • Size

      7.0MB

    • MD5

      3f37221122467ac5f32a8c33a812e508

    • SHA1

      9f6d4058292a8b46530529195e534cc4903ef2f7

    • SHA256

      f513d3e038b7d1eac73eb559f334fdc7fa47ced2b542307e62154890cffff32d

    • SHA512

      a0700f93329a8b20ee723dc0c2b0c43e54c25a0f0c4b9cdfe3340fa2e00c5c3d76573fa99ef31837f8f05c25266b050dd63f7d1c6a4c91c7f169643bf6ce9c16

    • SSDEEP

      98304:EB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:tcUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks