Malware Analysis Report

2025-05-28 16:41

Sample ID 230704-ga3edscf8y
Target svchost.exe
SHA256 1a5ef68208365f3575fb08d6fba84b3a8a6564cec61db97279a8574522defe7c
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1a5ef68208365f3575fb08d6fba84b3a8a6564cec61db97279a8574522defe7c

Threat Level: Likely malicious

The file svchost.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 05:36

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 05:36

Reported

2023-07-04 05:37

Platform

win10v2004-20230703-en

Max time kernel

7s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 436 -p 4724 -ip 4724

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4724 -s 1484

Network

Country Destination Domain Proto
US 8.8.8.8:53 164.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.139:443 assets.msn.com tcp
US 8.8.8.8:53 139.74.101.95.in-addr.arpa udp

Files

memory/4724-133-0x0000000000970000-0x000000000108E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99096b4b-3055-4c6a-a348-9f002740163e\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

C:\Users\Admin\AppData\Local\Temp\99096b4b-3055-4c6a-a348-9f002740163e\AgileDotNetRT64.dll

MD5 05b012457488a95a05d0541e0470d392
SHA1 74f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA256 1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA512 6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

memory/4724-140-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp

memory/4724-142-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp

memory/4724-143-0x00007FFCA5650000-0x00007FFCA579E000-memory.dmp

memory/4724-144-0x00007FFC93260000-0x00007FFC93DE4000-memory.dmp