General

  • Target

    svchost.exe

  • Size

    7.0MB

  • Sample

    230720-19p3wsbe4w

  • MD5

    f0fa5a1ed8fa64c40da3a4a2b4dc32dc

  • SHA1

    e7a560612b27378d3c31f2c7cc77a44c05258b31

  • SHA256

    1ff0e381166496de02733a8ec7efb9baf0b2e66f983dd3e4f6666f6bdcb70bba

  • SHA512

    6d5803133c8f7e5f29fea2e9d4a842eae154a89be1b41ebaf38c0e1516a129983ff62b97a4359ed1374ad5835657ede29a596061aff1fd999bf4ce8f7823874b

  • SSDEEP

    98304:6B2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:3cUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      7.0MB

    • MD5

      f0fa5a1ed8fa64c40da3a4a2b4dc32dc

    • SHA1

      e7a560612b27378d3c31f2c7cc77a44c05258b31

    • SHA256

      1ff0e381166496de02733a8ec7efb9baf0b2e66f983dd3e4f6666f6bdcb70bba

    • SHA512

      6d5803133c8f7e5f29fea2e9d4a842eae154a89be1b41ebaf38c0e1516a129983ff62b97a4359ed1374ad5835657ede29a596061aff1fd999bf4ce8f7823874b

    • SSDEEP

      98304:6B2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:3cUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks