General

  • Target

    client.exe

  • Size

    7.0MB

  • Sample

    231021-zbghesaa51

  • MD5

    5322d9b93041d2d9ae9d70fb01744fe3

  • SHA1

    e0a5415a481fb43b197c10cca11578b474e949ef

  • SHA256

    931f821c31a22a02a0e90e158dff41c8db204ddef3a9f0b24a6ef220d148ddb8

  • SHA512

    e0edda27f02fde9fae2e401190922c59752671fe24ec98c454868074094921ab8a0c8684e4d768b56ab9c85f2615f90fabc10cca1d30f5fccd8b1171d4d4f118

  • SSDEEP

    98304:k8C8OcFa3e6TywGPfi3roKN70zWbC+KlDn0VsADhpo6m1NKUZFBRyCKa9duT:Wru96uwSq/iCbLEDnaDhS6gL9O

Malware Config

Targets

    • Target

      client.exe

    • Size

      7.0MB

    • MD5

      5322d9b93041d2d9ae9d70fb01744fe3

    • SHA1

      e0a5415a481fb43b197c10cca11578b474e949ef

    • SHA256

      931f821c31a22a02a0e90e158dff41c8db204ddef3a9f0b24a6ef220d148ddb8

    • SHA512

      e0edda27f02fde9fae2e401190922c59752671fe24ec98c454868074094921ab8a0c8684e4d768b56ab9c85f2615f90fabc10cca1d30f5fccd8b1171d4d4f118

    • SSDEEP

      98304:k8C8OcFa3e6TywGPfi3roKN70zWbC+KlDn0VsADhpo6m1NKUZFBRyCKa9duT:Wru96uwSq/iCbLEDnaDhS6gL9O

    • UAC bypass

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks