General

  • Target

    XClient.exe

  • Size

    5.3MB

  • Sample

    230725-nc4hsscc35

  • MD5

    09313f75bf7b1ad40d2156ac7be6bec0

  • SHA1

    f602adb77ee5ea05f4baa626d28b28a91f4f10bb

  • SHA256

    9b4dea15c5cf9e10463781bba3cb4988fde7a21e44865ecf81d3fa80fb14dc00

  • SHA512

    5955654439a4f7e2a16eb8c6c2f74c95fd9206ff80a992d814c1a26901a7a9ab1583fc59d56929480e88fb7d95111e5ba4af10793ec2e8939f88dd87b28e0c4c

  • SSDEEP

    98304:7VNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:779GeDVI5DKBWZlkgJedYs6LtYdEhqTp

Malware Config

Targets

    • Target

      XClient.exe

    • Size

      5.3MB

    • MD5

      09313f75bf7b1ad40d2156ac7be6bec0

    • SHA1

      f602adb77ee5ea05f4baa626d28b28a91f4f10bb

    • SHA256

      9b4dea15c5cf9e10463781bba3cb4988fde7a21e44865ecf81d3fa80fb14dc00

    • SHA512

      5955654439a4f7e2a16eb8c6c2f74c95fd9206ff80a992d814c1a26901a7a9ab1583fc59d56929480e88fb7d95111e5ba4af10793ec2e8939f88dd87b28e0c4c

    • SSDEEP

      98304:7VNN/N91h2eDZQjL7sU8I5DKBWoClkRGJewd8Y3evBQ9LtYVrEx3/o6ETgKbWyu:779GeDVI5DKBWZlkgJedYs6LtYdEhqTp

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks