General

  • Target

    944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

  • Size

    12.7MB

  • Sample

    230925-njkz2afh32

  • MD5

    2f54c844bf90892fde210329fbacad48

  • SHA1

    3544376cc1f6785b9b76afe09ce72af3c1913218

  • SHA256

    944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

  • SHA512

    9e419eb085ef56cbe021dbdb6335df463666b0f30885cf24cc8f7e942b83259383ebe7a26c33aa6f4435739d39cc82faad9745c7a17007c44f721a2307f33ecc

  • SSDEEP

    196608:VcmdOPbQYGlZm+Uw1WgnmGH+7r7qQVYmGWqEVgM2mCM08bnlXsNbcAHo4GGU5Q/U:YbQp1hXH+7rOuSM/CMRbne2WO5Q/U

Malware Config

Targets

    • Target

      944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

    • Size

      12.7MB

    • MD5

      2f54c844bf90892fde210329fbacad48

    • SHA1

      3544376cc1f6785b9b76afe09ce72af3c1913218

    • SHA256

      944a9f07e7bb2b0bdb322dacf89b2cfb36277f2a3d2af0fd4d79b7c24daed821

    • SHA512

      9e419eb085ef56cbe021dbdb6335df463666b0f30885cf24cc8f7e942b83259383ebe7a26c33aa6f4435739d39cc82faad9745c7a17007c44f721a2307f33ecc

    • SSDEEP

      196608:VcmdOPbQYGlZm+Uw1WgnmGH+7r7qQVYmGWqEVgM2mCM08bnlXsNbcAHo4GGU5Q/U:YbQp1hXH+7rOuSM/CMRbne2WO5Q/U

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks