bcb43e540324aec08aad7401c57c64000e7e4ccc20efa5f64072e7a664d9492f

Analysis

max time kernel
40s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BruteForcers PACK/BruteForcers PACK/ExpressVPN Brute Checker By ACTEAM/forms/viewsource.exe
Size

3.5MB
MD5

95e34cb7ec74b0308313608cdad5ff80
SHA1

8c6606080b89b23a32c39a5e8c354f6f846662f4
SHA256

4df2aba56452a16140064c81e5ab3708f8b05176ef9f6ad926848517fc31555d
SHA512

5ac070acc62fcb93b12465820f11943a9e02bda13c151fe76bf2eb967639ad6656797895d62d3347f8ba2c25ad731d7a7a332479dbe4e9ea7986d9e71860ac23
SSDEEP

98304:FhGOI7cg6bt6ZP25ypN9zPA8aY3OjkkGWf3rSPm4Hm:Fh7I7cg6JH8zI8H+jkkGWDoZG

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

viewsource.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ viewsource.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	viewsource.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

viewsource.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	viewsource.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	viewsource.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

viewsource.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	viewsource.exe

Executes dropped EXE 1 IoCs

Processes:

IVACYVPN BRUTE CHECKER BY ACTEAM.EXE

pid process

3584 IVACYVPN BRUTE CHECKER BY ACTEAM.EXE

Loads dropped DLL 4 IoCs

Processes:

IVACYVPN BRUTE CHECKER BY ACTEAM.EXE

pid	process
3584	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
3584	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
3584	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
3584	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral14/memory/4808-133-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-134-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-135-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-136-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-137-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-139-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida
behavioral14/memory/4808-155-0x00000000005D0000-0x0000000000EBA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

viewsource.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA viewsource.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

viewsource.exe

pid process

4808 viewsource.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	viewsource.exe

pid	process
4808	viewsource.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

viewsource.exe

description	pid	process	target process
PID 4808 wrote to memory of 3584	4808	viewsource.exe	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
PID 4808 wrote to memory of 3584	4808	viewsource.exe	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
PID 4808 wrote to memory of 3584	4808	viewsource.exe	IVACYVPN BRUTE CHECKER BY ACTEAM.EXE

C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\ExpressVPN Brute Checker By ACTEAM\forms\viewsource.exe
"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\ExpressVPN Brute Checker By ACTEAM\forms\viewsource.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
"C:\Users\Admin\AppData\Local\Temp\IVACYVPN BRUTE CHECKER BY ACTEAM.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
Filesize
111KB

MD5
5b8a46af5c56bd94ee71d3b6eb51baeb

SHA1
81898f730d14d632a400df4172784c6be97ca925

SHA256
54c5cd7c101060ceae603c7975524edaf6c2d9b82b76cc1415f04f189356bb49

SHA512
6fd2f18009e9129fc7876c0a2df18ef9d97bd419002aafb54ca0c4b48cd00a027872c448366de69aae9a1aa028210d36b1dbb8cc1ff0b17dc80d0beae60190c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
Filesize
111KB

MD5
5b8a46af5c56bd94ee71d3b6eb51baeb

SHA1
81898f730d14d632a400df4172784c6be97ca925

SHA256
54c5cd7c101060ceae603c7975524edaf6c2d9b82b76cc1415f04f189356bb49

SHA512
6fd2f18009e9129fc7876c0a2df18ef9d97bd419002aafb54ca0c4b48cd00a027872c448366de69aae9a1aa028210d36b1dbb8cc1ff0b17dc80d0beae60190c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVACYVPN BRUTE CHECKER BY ACTEAM.EXE
Filesize
111KB

MD5
5b8a46af5c56bd94ee71d3b6eb51baeb

SHA1
81898f730d14d632a400df4172784c6be97ca925

SHA256
54c5cd7c101060ceae603c7975524edaf6c2d9b82b76cc1415f04f189356bb49

SHA512
6fd2f18009e9129fc7876c0a2df18ef9d97bd419002aafb54ca0c4b48cd00a027872c448366de69aae9a1aa028210d36b1dbb8cc1ff0b17dc80d0beae60190c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEAF.XNET.DLL
Filesize
130KB

MD5
ecced64fe31af5c957b14d964477d7cc

SHA1
e36d262b158349741d6f90f69ab0491a0e032e54

SHA256
25a6bcbfdac13d3d423b7091e0decd59e8c0833f1c73641e2b8bec9196bbaed0

SHA512
f29d2fc540820315f1e081a59c1098ddf2b985f7867b6c4f8415a197e4098c738789253a2581139a6aba19391f35cb1bf9df36743285ee55a333e891d6064a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEAF.XNET.DLL
Filesize
130KB

MD5
ecced64fe31af5c957b14d964477d7cc

SHA1
e36d262b158349741d6f90f69ab0491a0e032e54

SHA256
25a6bcbfdac13d3d423b7091e0decd59e8c0833f1c73641e2b8bec9196bbaed0

SHA512
f29d2fc540820315f1e081a59c1098ddf2b985f7867b6c4f8415a197e4098c738789253a2581139a6aba19391f35cb1bf9df36743285ee55a333e891d6064a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dll
Filesize
130KB

MD5
ecced64fe31af5c957b14d964477d7cc

SHA1
e36d262b158349741d6f90f69ab0491a0e032e54

SHA256
25a6bcbfdac13d3d423b7091e0decd59e8c0833f1c73641e2b8bec9196bbaed0

SHA512
f29d2fc540820315f1e081a59c1098ddf2b985f7867b6c4f8415a197e4098c738789253a2581139a6aba19391f35cb1bf9df36743285ee55a333e891d6064a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SITICONE.UI.DLL
Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SITICONE.UI.DLL
Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Siticone.UI.dll
Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
memory/3584-163-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/3584-156-0x0000000000D40000-0x0000000000D60000-memory.dmp

Filesize
128KB

Download
memory/3584-157-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/3584-158-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/3584-162-0x0000000005570000-0x0000000005596000-memory.dmp

Filesize
152KB

Download
memory/3584-169-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/3584-168-0x0000000006340000-0x0000000006350000-memory.dmp

Filesize
64KB

Download
memory/3584-167-0x0000000006350000-0x000000000649E000-memory.dmp

Filesize
1.3MB

Download
memory/4808-137-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-133-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-135-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-134-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-136-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-155-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download
memory/4808-139-0x00000000005D0000-0x0000000000EBA000-memory.dmp

Filesize
8.9MB

Download