Malware Analysis Report

2025-05-05 22:25

Sample ID 231010-nnbbdsdb3w
Target SirHurt V4.exe
SHA256 22e8e3d7e060d661f3d7aa3a8c1161c79ae82da32cee3b8c2c9786fb2e850da1
Tags
agilenet evasion themida trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

22e8e3d7e060d661f3d7aa3a8c1161c79ae82da32cee3b8c2c9786fb2e850da1

Threat Level: Likely malicious

The file SirHurt V4.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet evasion themida trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Obfuscated with Agile.Net obfuscator

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 11:32

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 11:32

Reported

2023-10-10 11:35

Platform

win10v2004-20230915-en

Max time kernel

106s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe

"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/880-0-0x0000000000400000-0x000000000144E000-memory.dmp

memory/880-1-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-3-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-2-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-4-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-5-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-6-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-7-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-8-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-10-0x00000000774F4000-0x00000000774F6000-memory.dmp

memory/880-12-0x0000000000400000-0x000000000144E000-memory.dmp

memory/880-13-0x0000000000400000-0x000000000144E000-memory.dmp

memory/880-14-0x0000000005C30000-0x00000000061D4000-memory.dmp

memory/880-15-0x0000000005AF0000-0x0000000005B82000-memory.dmp

memory/880-16-0x0000000005C00000-0x0000000005C0A000-memory.dmp

memory/880-17-0x0000000006360000-0x000000000636E000-memory.dmp

memory/880-18-0x0000000006390000-0x00000000063F6000-memory.dmp

memory/880-19-0x0000000006410000-0x00000000064CA000-memory.dmp

memory/880-20-0x00000000064D0000-0x00000000064DE000-memory.dmp

memory/880-21-0x00000000076E0000-0x0000000007722000-memory.dmp

memory/880-22-0x00000000070E0000-0x0000000007234000-memory.dmp

memory/880-23-0x00000000067D0000-0x0000000006800000-memory.dmp

memory/880-24-0x0000000007B10000-0x0000000007B16000-memory.dmp

memory/880-25-0x0000000008F30000-0x00000000091BE000-memory.dmp

memory/880-26-0x00000000091C0000-0x0000000009514000-memory.dmp

memory/880-27-0x0000000007BC0000-0x0000000007BC6000-memory.dmp

memory/880-28-0x0000000000400000-0x000000000144E000-memory.dmp

memory/880-29-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-30-0x0000000005B90000-0x0000000005BA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bin\DebugData.txt

MD5 12bacf75586ab89c0bd95659e7ec2e82
SHA1 3592b4ba99a1b077e2bf4d6e441fa87a53c9ad7d
SHA256 ac6370319f1406e71b40464a12dc295745dd590c740527ccadafc71eb0d556f2
SHA512 869ba0c24e54ae753007ac7330e51ae8e0663507b1151c95578e0cb700a37ab89f5ea270a83c63977461a4f9e9f57b4166a826ce2fdda054e162cb847bece27c

memory/880-38-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-39-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-40-0x0000000076060000-0x0000000076150000-memory.dmp

memory/880-43-0x0000000000400000-0x000000000144E000-memory.dmp

memory/880-44-0x0000000076060000-0x0000000076150000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 11:32

Reported

2023-10-10 11:35

Platform

win7-20230831-en

Max time kernel

38s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe

"C:\Users\Admin\AppData\Local\Temp\SirHurt V4.exe"

Network

N/A

Files

memory/2988-0-0x0000000000400000-0x000000000144E000-memory.dmp

memory/2988-1-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-5-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-3-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-8-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-7-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-6-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-10-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-9-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-15-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-14-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-13-0x0000000077310000-0x0000000077312000-memory.dmp

memory/2988-12-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-11-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-16-0x0000000000400000-0x000000000144E000-memory.dmp

memory/2988-17-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2988-18-0x0000000000400000-0x000000000144E000-memory.dmp

memory/2988-19-0x0000000005720000-0x0000000005760000-memory.dmp

memory/2988-20-0x00000000017D0000-0x00000000017DE000-memory.dmp

memory/2988-21-0x0000000005650000-0x00000000056B6000-memory.dmp

memory/2988-22-0x0000000005A40000-0x0000000005AFA000-memory.dmp

memory/2988-23-0x00000000031A0000-0x00000000031AE000-memory.dmp

memory/2988-24-0x0000000005B00000-0x0000000005B42000-memory.dmp

memory/2988-25-0x0000000006060000-0x00000000061B4000-memory.dmp

memory/2988-26-0x0000000005B80000-0x0000000005BB0000-memory.dmp

memory/2988-27-0x0000000006390000-0x0000000006396000-memory.dmp

memory/2988-28-0x0000000008CC0000-0x0000000008F4E000-memory.dmp

memory/2988-29-0x00000000063F0000-0x00000000063F6000-memory.dmp

memory/2988-30-0x0000000005720000-0x0000000005760000-memory.dmp

memory/2988-34-0x0000000000400000-0x000000000144E000-memory.dmp

memory/2988-39-0x0000000005720000-0x0000000005760000-memory.dmp

memory/2988-40-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-43-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-41-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-42-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-45-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-46-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-47-0x0000000074340000-0x0000000074A2E000-memory.dmp

memory/2988-49-0x0000000076660000-0x0000000076770000-memory.dmp

memory/2988-50-0x00000000756D0000-0x0000000075717000-memory.dmp

memory/2988-51-0x0000000000400000-0x000000000144E000-memory.dmp

memory/2988-52-0x0000000074340000-0x0000000074A2E000-memory.dmp